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VOLUME  VII 
IN  THE  UNITED  STATES  ARMY 

UNITED  STATES 
VS. 

MANNING,    Bradley  E.,    PFC  COURT-MARTIAL 
U.S.  Army,   xxx— xx— 9504 

Headquarters  and  Headquarters  Company, 

U.S.  Army  Garrison, 

Joint  Base  Myer— Henderson  Hall, 

Fort  Myer,   VA  22211 

 / 

The  Hearing  in  the  above— entitled  matter  was 
held  on  Monday,    June  17,    2013,    commencing  at  1:35  p.m., 
at  Fort  Meade,   Maryland,   before  the  Honorable  Colonel 
Denise  Lind,    Judge . 
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DISCLAIMER 

This  transcript  was  made  by  a  court  reporter 
who  is  not  the  official  Government  reporter,   was  not 
permitted  to  be  in  the  actual  courtroom  where  the 
proceedings  took  place,   but  in  a  media  room  listening 
to  and  watching  live  audio/video  feed,   not  permitted  to 
make  an  audio  backup  recording  for  editing  purposes, 
and  not  having  the  ability  to  control  the  proceedings 
in  order  to  produce  an  accurate  verbatim  transcript . 

This  unedited,   uncertified  draft  transcript 
may  contain  court  reporting  outlines  that  are  not 
translated,   notes  made  by  the  reporter  for  editing 
purposes,   misspelled  terms  and  names,   word  combinations 
that  do  not  make  sense,   and  missing  testimony  or 
colloquy  due  to  being  inaudible  by  the  reporter. 
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PROCEEDINGS, 

(Reconvened  at  1:35  p.m.) 

THE  COURT:     Were  there  any  issues  we  need 
to  address  before  we  proceed? 

MAJOR  FEIN:     All  parties  in  the  court  last 
recess  are  present. 

THE  COURT:     Thank  you. 

MAJOR  FEIN:     United  States  offers  to  be 
read  on  to  the  record  Prosecution  Exhibit  137,  a 
stipulation  of  expected  testimony  for  Mr .  Maxwell  Allen 
dated  16th  June  2013. 

(stipulation  being  read) . 

THE  COURT:      I  have  a  question  for  you.  I'm 
looking  at  Prosecution  Exhibits  138,    139,   they're  not 
legible . 

MAJOR  FEIN:     At  the  next  recess  the  United 
States  will  look  138  and  139  and  get  a  clearer  copy. 

THE  COURT:     Prosecution  Exhibit  141  for 
identification  is  admitted.     Prosecution  Exhibit  140 
for  identification  is  admitted. 

CAPTAIN  MORROW:     Your  Honor,  United 
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States  offers  Prosecution  Exhibit  142  for 
identification .     It ' s  the  stipulation  of  expected 
testimony  for  Staff  Sergeant  Peter  Bigelow. 

THE  COURT:      I  believe  I  already  admitted 

that . 

(stipulation  being  read) . 
MR.   MORROW:     United  States  offers 
Prosecution  Exhibit  143,    stipulation  of  expected 
testimony  for  Special  Agent  Alfred  Williamson  dated  17 
June  2013. 

(stipulation  being  read) . 

MR.   MORROW:     Your  Honor,   at  this  time 
prosecution  moves  to  admit  Prosecution  Exhibits  47,  48, 
144,    145,   and  146,   and  147  Alpha,    and  148  Alpha  for 
identification  into  evidence . 

MR.   HURLEY:     No  objection,   Your  Honor. 

THE  COURT:     So  admitted. 

Prosecution  Exhibit  148  Alpha  is 
admitted.     Prosecution  Exhibit  147  Alpha  is 
admitted.     Prosecution  Exhibit  147  Bravo  for 
identification  is  admitted.     Prosecution  Exhibit  146 
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is  admitted.     Prosecution  Exhibits  47  and  48  are 
admitted.     Prosecution  Exhibit  146  is  admitted.  145 
is  admitted.     144  is  admitted. 

Any  other  exhibits  I  have  failed  to 

admit? 

MAJOR  FEIN:     That's  it,   Your  Honor. 

THE  COURT:     At  this  time  why  don't  we  take 
a  brief  recess  and  I  want  to  see  counsel  for  just  a 
brief  second. 

Ten  minutes  sufficient? 

MAJOR  FEIN:     Yes,   Your  Honor. 

MR.   COOMBS:     Yes,   Your  Honor. 
(Hearing  recessed  at  2:10  p.m.) 
(Hearing  resumed  at  2:20  p.m.) 

MAJOR  FEIN:  Your  Honor,  there  might  be 
some  confusion  about  Prosecution  Exhibits  147  Alpha, 
147  Bravo,    and  148  Alpha,    and  148  Bravo. 

Prior  to  the  recess  United  States  moved 
to  admit  Prosecution  Exhibit  147  Alpha  or  148  Alpha. 
Those  are  the  20-page  extracts  from  the  two  text 
files  based  of  Special  Agent  Williamson's  stipulated 
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expected  testimony. 

In  addition  to  that  now  United  States 
moves  to  admit  as  147  Bravo  and  148  Bravo  one  page 
redacted  versions  of  those  20  page  extracts  in  order 
to  be  used  in  open  court . 

THE  COURT:     Any  objection? 

MR.   HURLEY:     No,  ma'am. 

THE  COURT:      I'll  visit  those  momentarily. 
Are  there  any  other  administrative 
issues  that  we  have  to  address? 

MAJOR  FEIN:     No,  ma'am. 

MR.   COOMBS:     No,   Your  Honor. 

THE  COURT:  Okay. 

Did  you  have  an  opportunity  to  look  into 
I  believe  it  was  Prosecution  Exhibits  138  and  139? 

MAJOR  FEIN:     United  States  is  still  trying 
to  find  a  cleaner  copy  of  those  and  we ' 11  bring  it  to 
it  Court's  attention  as  soon  as  we  obtain  them. 

THE  COURT:     Prosecution  Exhibits  147B  and 
148B  are  admitted. 

Please  proceed. 
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MAJOR  VON  ELTEN:     Your  Honor,  United 
States  calls  Chief  Ronald  Nixon  to  the  stand. 
Whereupon, 

CHIEF  RONALD  NIXON, 
called  as  a  witness,   having  been  first  duly  sworn  to 
tell  the  truth,   the  whole  truth  and  nothing  but  the 
truth,   was  examined  and  testified  as  follows: 

DIRECT  EXAMINATION 
BY  MAJOR  VON  ELTEN: 
Q  Your  Honor,   Chief  Ronald  Nixon,   Army  cyber 

unit? 

A  Yes,  sir. 

Q  What  is  your  current  position? 

A  My  current  position,    I'm  senior  warrant 

officer  in  the  Enterprise  Management  Division  G32  Army 
cyber  command . 

Q  What  does  that  entail? 

A  We  manage  literally  all  the  Army  networks 

from  secret  level  and  below  across  the  Enterprise  which 
is  across  the  global  scope  to  include  tactical  and 
strategic  systems . 
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Q  What  is  the  Enterprise? 

A  The  Enterprise  is  the  —  Enterprise  is  the 

network  as  whole .     The  Army  refers  to  it  as  the  land 
(INAUDIBLE)   but  it  is  the  network  all  encompassing. 

Q  What  position  did  you  hold  prior  to  this 

one? 

A  Prior  to  that  one  I  was  the  senior  warrant 

officer  in  plans  and  operations  division  G6 
(INAUDIBLE) . 

Q  What  did  that  entail? 

A  Very  similar  duties,   a  tactical  scale.  So 

support  the  combat  operations,   planning  operations, 
services,  management  and  network  design. 

Q  Where  were  you? 

A  At  Fort  Hood. 

Q  What  certifications  do  you  possess? 

A  CCMP,    cisco  assist  co-certified  CCMB,  CCMA 

CCM  security  CCM   (INAUDIBLE)    and  CIS  group. 

Q  What  are  the  CC  in  certifications? 

A  Cisco  certified  network  and  then 

professional  associate  and  associate  security  and 
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associate  voiceover  IP . 

Q  What  do  those  certifications  signify? 

A  An  understanding  and  tested  understanding 

of  network  architecture  and  design,    engineering,  and 
management . 

Q  What  is  CISSP? 

A  It ' s  really  the  current  industry  standard 

for  securing  an  information  assurance. 

Q  What  is  the  level  of  technical  access  and 

review  of  the  DoD  8578? 

A  Level  3. 

Q  Is  what  the  highest  level? 

A  Level  3 . 

Q  What  certification  is  required  for  that? 

A  It  requires  a  technical  skill  set  which 

would  be  higher  been  a  CCNA  and  then  a  policy  piece 
which  would  be  my  CISSP. 

Q  Let ' s  talk  a  little  bit  about  your  last 

time  in  Iraq? 

A  Yes  is. 

Q  What  was  your  position  there? 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/17/13  Afternoon  Session 


A  I  was  the  senior  warrant  and  the  planning 

and  operations    (INAUDIBLE) . 

Q  When  were  you  there? 

A  I  was  there  from  February  of   '09  to 

February  of  '10. 

Q  What  did  that  position  entail? 

A  Network  engineering,   design,   planning  for 

operations,    support  for  the  entire  theater  of  Iraq. 

Q  What  is  USFI? 

A  That ' s  the  four  star ' s  headquarters .  That 

was  created  when  they  combined  MNFI  and  MNCI  into  a 
joint  four  star  headquarters,    rolling  up  the  I  corps, 
the  corps  headquarters    (INAUDIBLE) . 

Q  Let ' s  talk  about  the  global  address  list . 

What  is  that? 

A  The  GAL,    global  address  list,    is  are 

talking  about  the  global  address  for  a  user  server  or 
are  you  talking  about  the  global  address  list  as  a 
whole? 

Q  As  a  whole . 

A  The  global  address  list  is  a  product  from 
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the  active  directory  global  address  list  which 
everyone,   every  person  who  has  an  account  has  access  to 
that  domain  and  every  machine  that ' s  added  to  that 
domain  is  cataloged. 

Q  What  is  the  global  address  list  for  a  user? 

A  The  global  address  list  for  the  user  is  the 

interface  that  most  of  them  see  through  Outlook  and 
what  that  is  in  a  sense  is  a  phone  book .     It  is  a  phone 
book  equivalent  for  all  of  your  services  out  there,  but 
it  does  contain  user's  e-mail,   any  alias  e-mail 
accounts,   any  pertinent  information  that  would  be  added 
for  the  ease  of  the  user .     So  it  helps  me  find  your 
phone  number  and  things  like  that . 

Q  Until  how  many  people  were  on  the  USFI  GAL 

in  2009/2010? 

A  160,000. 

Q  What  server  was  that  accessible  on? 

A  Across  a  run  of  servers.     You're  able  to 

access  the  GAL  through  —  for  an  exchange  you'll  be 
able  to  access  the  GAL  through  Outlook    (INAUDIBLE)  also 
for  the  system  administrator  you  will  be  able  to  access 
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the  GAL  through  Outlook  on  his  machine  and  also  for  a 
system  administrator  he  would  be  able  to  access  the  GAL 
through  either  the  exchange  server  or  the  active 
server,   the  domain  controller. 

Q  What  type  of  information  does  the  GAL 

contain? 

A  Again,    from  an  individual  user  perspective, 

so  I  can't  for    (INAUDIBLE)   as  an  example  would  have  the 
pertinent  information  for  you  when  you  first  set  up 
your  account,   when  you  were  added  to  the  domain,  any 
alias  addresses  you  would  have,   for  instance,   you  would 
have  in  Iraq,   you  would  have  the  Iraq.centcom.mil  plus 
if  you  have  your    (INAUDIBLE) .mail  attached  to  that 
account  and  you  set  an  account  or  a  CENTCOM  joint 
account,   things  like  that,    for  the  individual  user;  but 
it  also  contains  the  additional  —  when  you're  looking 
at  the  GAL  from  that  directory  standpoint .      It  also 
contains  all  of  the  additional  security  information 
user  name,   password,   certificates  that  are  attached  to 
that,    and  then  anywhere  they  sit  within  the  (INAUDIBLE) 
domain  structure . 
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Q  You  talked  about  active  directory  what  is 

active  directory? 

A  Active  directory  is  —  active  directory  is 

the  directory  service  that  all  Microsoft  servers  use  to 
be  able  to  talk  and  interconnect  with  one  another . 
Prior  to  active  directory  exchange,    exchange,  for 
instance,   used  to  have    (INAUDIBLE) .     They  created  an 
active  directory  to  combine  all  of  those  services 
together,   to  join  them  all  at  one  place  so  it  allows 
all  of  the  servers  to  be  able  to  crossing  communicate 
so  SharePoint  file  servers  exchange  things  like  that 
that  are  all  allowed  to  talk  it  sets  the  permission  of 
what  they're  allowed  to  talk  to. 

Q  What  is  a  directory  of  service? 

A  So  directory  service  is  my  category  for 

servers  to  be  able  to  talk  to  another  one  without 
getting  too  technical,   it  really  is  just  —  so,  for 
instance,   my  domain  control  my  active  control  says  that 
I  am  allowed  to  talk  to  this  division  or  this  corp  at 
these  levels  and  then  establishes  the  trust 
relationship  between  them. 
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Q  What  is  the  purpose  of  active  directory? 

A  Active  directory  is  the  core  backbone  for 

all  directory  services  for  Microsoft  exchange  server . 
So  for  a  brigade,   for  division  level  exchange  server  to 
be  able  to  talk  to  somebody  else  within  USFI  they  would 
have  to  be  able  to  access  those  primary  active 
directory,   that  directory  itself    (INAUDIBLE)   to  do 
those  cross  talks . 

It ' s  also  a  certification  process  if  you 
wanted  to  be  able  to  access  another  type  of  server 
SharePoint  that  checks  your  credentials    (INAUDIBLE)  yes 
Captain  might  not  be  able  to  do  these  things  and  this 
is  what  he's  able  to  do. 

Q  What  credentials  does  it  show? 

A  Well,   depending  on  how  you're    (INAUDIBLE) . 

For  Iraq  user  name  and  password  was  the  primary  means 
of  credentials . 

Q  What  are  permissions? 

A  Permissions  are,   what  am  I  allowed  to  do  on 

a  set  system  or  server.     So  primary  example  is,  user 
services .     By  Army  regulations  DODI  CJCSI  regulations 
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(INAUDIBLE)    a  user  is  only  allowed  to  do  certain  things 
on  his  machine . 

He ' s  allowed  to  access  the  Internet .     He ' s 
allowed  to  open  up  and   (INAUDIBLE),   but  you're  not 
allowed  to  install  anything  on  your  machine  as  a  user . 
You  can ' t  even  update  your  machine  any  more . 

Q  How  does  active  directory  support  security? 

A  By  a  couple  of  different  ways .     One  is  it 

sets  everything  up  in  a  domain  structure.  So  basically 
it  tells  you  (INAUDIBLE)  what  can  talk  to  you,  what  can 
you  talk  to  around  within  the  network. 

It  sets  and  manages  by  permission  levels 
for  my  individual  user,   my  system  administrator  and  my 
network  administrators,   then  it  also  controls  the  trust 
relationship  between  the  different  domains .     So  that 
trust  relationship  is  a  exchange  of  information  from 
one  domain  or  one  set  of  servers,   to  put  it  simply. 

So  from  USFI  to  1st  Calvary  Division,  the 
domain  control  is  established  and  maintain  that 
relationship,   kind  of  like  a  traffic  cop. 

Q  How  does  the  active  directory  interact  with 
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the  GAL? 

A  So  your  active  directory  for  —  so  let ' s 

take  it  from  a  GAL  perspective  of  the  user. 
Q  Okay . 

A  Okay.     So  GAL  perspective  from  the  user, 

I ' m  an  e-mail  Internet  exchange  and  I  log  on  to 
Outlook .     The  GAL  I  see  from  that  is  a  product  of  the 
active  directory  GAL .      It  is  then  basically  it ' s  what 
the  exchange  server  pulls  to  create  the  GAL.     So  it  is 
a  direct  product  of  the  active  directory  global  address 
list. 

Q  How  does  active  directory  interact  with  the 

GAL  from  a  system  administrator  perspective? 

A  From  the  system  administrator  perspective 

(INAUDIBLE)    lot  into  a  system  as  a  system 
administrator,   the  active  directory  says,   Chief  Nixon 
is  allowed  to  add  programs  to  the  software. 

I'm  allowed  to  push  updates.     I'm  allowed 
to  do  things  that  in  order  to  affect  change  to  that 
insurance  or  affect  change  on  the  server  or  the  network 
within  that  rule  set  because  of  the  dangers  of  system 
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administrative    (INAUDIBLE)   to  what  approval  so  I'm  now 
allowed  to  have  access  to  e-mail,   and  I  don't  have 
access  to  an  e-mail  account  while  being  the  system 
administrator . 

Q  What  software  does  a  user  use  to  interact 

with  the  GAL? 

A  Primarily  would  be  Outlook .      It ' s  where 

they  see  it  the  most  often. 

Q  Do  you  how  many  people  created  the  NIPR  in 

USFI? 

A  Reword  the  question,   please,    or  ask  it  a 

di  f  f e  r ent  way . 

Q  How  many  people  are  involved  with 

developing  it  initially? 

A  The  initial  development  of  the  GAL  for  USFI 

took  place  over  the  years.     Multinational  (INAUDIBLE) 
MR.   HURLEY:  Objection. 
Is  that  personal  knowledge? 
THE  COURT:     Do  you  want  to  develop  a 
foundation  for  that? 

MAJOR  VON  ELTEN:     We'll  move  on,  Your 
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Honor . 

BY  MAJOR  VON  ELTEN : 

Q  Let ' s  talk  about  the  resources  that  go  into 

creating  and   (INAUDIBLE)   the  GAL.     What  hardware  does 
the  network  did  the  GAL  use  for  the  network? 

A  So  for  the  GAL  primary  active  directory  and 

exchange  structure  in  Iraq  for  NIPRnet,   you  had  four 
nexus  backbone  switches,   two  for  the  primary  and  two 
for  the  back  up  group  and  then  you  have  a  stack  of  64 
server  suites  that  supported  the  primary  site,  and 
after  that  you  also  had  all  the  normal  network 
infrastructure  cable    (INAUDIBLE)    switches,  outside 
equipment . 

Q  What  is  a  nexus  switch  back . 

A  The  nexus  switch  is  a  five  channel  high 

speed   (INAUDIBLE)    switching  backbone  used  to  support 
the  back  of  your  server    (INAUDIBLE)    servers  to  be  able 
to  communicate  in  no    (INAUDIBLE) . 

Q  How  many  does  the  NIPRnet  use? 

A  Four,   two  on  the  primary  and  two  on  the 

backup  site . 
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Q  What  is  the  cost? 

MR.   HURLEY:     Objection,  hearsay. 
THE  COURT:  Sustained. 
BY  MAJOR  VON  ELTEN : 
Q  Were  you  involved  in  contracting  for  the 

backbone  service? 

A  Yes .      I  was  the  technical  oversight  for  the 

DRS  contract  at  the  (INAUDIBLE)  of  the  USFI  services  in 
Iraq. 

Q  Who  managed  the  hardware? 

A  Who  managed  the  hardware?     We  had  a  20  to 

24  contracted  personnel  that  worked  in  the  services 
section  within  the  JNCCI,    one  warrant  officer,  one 
major,    and  five  or  six  enlisted  personnel. 

Q  How  much  time  did  they  spend  working  on 

this? 

A  24/7  365,   no  breaks. 

Q  What  was  your  interaction? 

A  I  worked  with  them  on  a  daily  basis  for 

planning  administration  and  fulfillment  of  requirements 
for  services  across  all  Iraq. 
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Q  How  many  servers  did  the  GAL  require  for 

NIPRnet? 

A  The  GAL  itself  would  have  been  present 

on  —  well,   the  active  directory  itself.     So  you're 
talking  about    (INAUDIBLE)   that  comes  into  that  physical 
server  suite  of  64  servers  that  we  used  to  maintain  and 
run  NIPRnet  within  Iraq. 

Q  How  many  of  those  servers  were  physical 

servers? 

A  I'm  talking  about  64  physical  servers, 

virtual  servers  is  over  a  hundred. 

Q  What  is  a  physical  server? 

A  Physical  server  is  a  Dell  or  whatever  brand 

of    (INAUDIBLE)   that  you  actually  put  your  hands  on  and 
hold.     Hardware,   hard  drive  memory,   processor,    I  can 
actually  put  my  hands  on  and  touch. 

Q  What  is  a  virtual  server? 

A  Is  a  software  driven  and  software  created 

server.     Use  visualization  sayings  to  be  able  to  reduce 
the  amount  of  physical  overhead  you  have  as  far  as 
power  and  things  like  that .     Power  and  physical 
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requirements  for  the  servers  it  also  allows  you  to 
share  resources  if  you  have  a  failure  in  one  I  can 
replicate  back  up  to  another  with  no  loss  of  service. 

Q  How  many  contractors  worked  on  the  server? 

A  We  had  those  25  to  24  contracted  personnel 

are  the  same  ones  that  did  the  maintenance  and 
(INAUDIBLE) . 

Q  Now  often  were  those  contractors  working  on 

the  servers? 

A  24/7  365  always. 

Q  Who  paid  their  salaries? 

A  The  salaries  were  paid  out  of  the  USFI 

funding . 

MR.   HURLEY:     Objection,  hearsay. 
BY  MAJOR  VON  ELTEN : 
Q  Is  that  from  your  personal  knowledge? 

A  Not  a  fact ,   out  of  the  budget . 

THE  COURT:     How  do  you  know  that? 
THE  WITNESS:      The    (INAUDIBLE)    of  USF  over 
sizes  for  the    (INAUDIBLE) . 

THE  COURT:     Sustain  the  Objection. 
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Go  ahead . 

BY  MAJOR  VON  ELTEN : 

Q  What's  your  involvement  in  budgeting. 

A  In  budgeting  itself,   none.      I  didn't  do  a 

budget,   per  se .     It  was  over  technical  oversight  and 
management  of  the  contract . 

Q  How  did  you  —  did  you  manage  cost? 

A  I  had  oversight  on  cost .      I  didn ' t  —  I 

wasn't  a  yes  or  no  person  on  that,   but  we  managed  so 
something  was  cost  prohibitive  or  something  like  that 
we  would   (INAUDIBLE)   but  we  saw  all  functions  of  the 
contract . 

Q  What  cable  did  the  GAL  use? 

A  The  server  infrastructure  used  a  massive 

amount  of  cabling  between  the  primary  and  secondary 
sites,   and  all  of  the  cabling  in  structure  and 
(INAUDIBLE)   basis  and  every  insulation  you  have  to 
switch  infrastructure    (INAUDIBLE) . 

Q  What  the    (INAUDIBLE)   account  GAL  require? 

A  The  server  infrastructure  at  USFI  was  in 

excess  of  100,000  thousand  tons  of  cooling  and  power. 
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Q  What  is  does  that  mean? 

A  Well,   you  equate  —  so  when  you  cool  your 

house  you  have  a  number  of  BTUs  it  takes  to  cool  your 
house.     Your  standard  wall  air  condition  is  15,000 
BTUs.     You  buy  a  15,000  BTU  at  Wal-Mart. 

We're  looking  at    (INAUDIBLE)    and  take  that 
and  multiply  it  by  2,000,   but  it's  the  actual  physical 
cooling  requirement  for  the  servers  and  all  of  the 
networking  equipment  that ' s  supported  inside  of  that 
building . 

Q  What  of  transmission  infrastructure  did  the 

GAL  use? 

A  Well,   the  GAL  used  server  infrastructure  of 

Iraq  used  two  sonic  rings  that  moved  in  and  around 
Baghdad  and  north  and  south  had  a  sonic  ring  and  you 
had  a  satellite  structure  backup. 

Q  Let ' s  talk  a  little  bit  about  the  software . 

What  software  did  the  backbone  servers  require? 

A  Well,   the  backbone  servers  required  your 

Microsoft  suite  of  servers.     So  we  ran    (INAUDIBLE)  to 
2003  and  2008  across  Iraq  Enterprise  licenses  for  those 
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and  you  had  exchange  the  active  directory. 

So  that  would  be  four  core  backbone 
services  that  we've  talked  about  here  and  your 
management  consoles  and  all  of  the  supportive  structure 
for  that  and  antivirus  host  based  firewalls  and  those 
(INAUDIBLE) . 

Q  What  is  virtual    (INAUDIBLE)  software? 

A  So  in  Iraq  we  used   (INAUDIBLE)   wire  aid  to 

do  creating  a  virtual  environment  for  services  and 
services  stacks  within  Iraq.      So  you  run  a  virtual 
environment .     So  it  allows  me  to  create  multiple 
servers  on  a  single  platform  to  be  able  to  share  my 
resources . 

Q  What  server  software  was  used? 

A  Well,   we  used  server  2000,   we  used  2003  and 

2008,   and  then  the  active  directory  software  that  was 
used  management  console  and  exchanges  itself. 

Q  How  many  licenses  were  required? 

A  They ' re  Enterprise  licenses .     So  depending 

on  how  you  purchase  from  Microsoft  at  the  time  you 
purchase  an  Enterprise  license  and  based  on  the  number 
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of  systems . 

For  instance,    let's  take  the  NIPRnet .  We 
ran  120,    130  instances  of  Microsoft  Exchange  to  be  able 
to  support  —  Microsoft  server  2003  or  2008  to  be  able 
to  support  160,000  customers. 

Q  How  many  licenses  did  active  directory 

require? 

A  It  would  have  been  the  same  thing,  very 

similar.     Again,    same  thing  and  you  buy  an  Enterprise 
license    (INAUDIBLE)   but  then  I  have  to  buy  myself 
(INAUDIBLE)    software  based  on  a  number  of  (INAUDIBLE) 
that  you  have  to  be  able  to  support .     So  in  that  case 
it  would  have  been  about  160,000. 

Q  What  kind  of  maintenance  did  the  GAL 

require  to  keep  it  current? 

A  Well,   of  course,   you've  got  secure  web 

dates  and  you've  got  your  daily   (INAUDIBLE) .     So  any 
time  an  update  comes  out  from  Microsoft  you  have  to 
able  to  maintain  security  or  maintain    (INAUDIBLE)  on 
the  platform. 

So  you  have  Microsoft  at  least  once  a  week 
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and  for  antivirus  and  securities  sometimes  daily. 
Q  Who  updated  the  GAL? 

A  Again,   updating  the  GAL  are  we  talking 

about  from  a  update  perspective  or  are  we  talking  about 
from  a  content  perspective? 

Q  First  from  an  update? 

A  Same  20,    24  contractors  and  the  military 

staff  who  worked  in  the  JNCCI  for  USFI . 

Q  Who  updated  the  GAL  from  a  content 

pe  r  spe  ct  ive  ? 

A  From  a  content  perspective  you ' re  updates 

were  done  from  all  across  the  board.     We  have  local 
system  administrators  who  would  create    (INAUDIBLE) , 
your  help  desk,   and  then  you've  got  your  overall 
maintenance  of  the  GAL  that  would  have  been  active 
directory  or  exchange  which  would  have  been  done  at 
USFI . 

Q  How  often  —  how  many  people  were  involved 

with  updating  content? 

A  Well,    from  USFI  perspective,   we're  talking 

at  same  20  to  24  personnel  plus  enlisted  staff  but  that 
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doesn ' t  count  the  ITT  contract  that  is  spread  out  over 
Iraq  that    (INAUDIBLE)    all  of  our  help. 

Q  How  often  do  your  military  staff  work  on 

this? 

A  All  the  time. 

Q  How  many? 

A  Dozens,    sir,   because  you  have  the  strategic 

single    (INAUDIBLE),    and  supported  by  the  help  desk. 
Then  you  have  some  type  of  military  personnel  sitting 
on  top  of  you    (INAUDIBLE) .     Then  you're  talking  USFI 
again.     The  USFI  guys  you're  talking  about  Major 
(INAUDIBLE)    and  enlisted   (INAUDIBLE) . 

Q  How  are  updates  pushed  out  to  the  GAL? 

A  Updates  to  the  GAL  from  again  from  a 

content  service  or  from  a  — 

Q  Content . 

A  From  a  content  point  of  view,   they  were 

done  constantly.     So,   again,   if  somebody  came  into 
country  the  first  time  and  the  account  was  created  then 
that  update  would  have  been  done  then,   and  there  does 
take  about  24  hours  for  the  update  to  take  place  when 
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you ' re  talking  about  from  a  content  standpoint . 

Adding  a  machine  to  a  domain,   those  are 
recurring  costs  of  things  that  happen  all  the  time . 
They've  actually  a  day— to— day  function,   and  then  my 
maintenance  updates  would  have  pushed  down  from  USFI, 
from  contract  to  the  military  staff    (INAUDIBLE) . 
Q  How  was  GAL  information  stored? 

MR.   HURLEY:     Objection,   Your  Honor. 

MAJOR  VON  ELTEN:     Resources  prior  to 
maintaining  his  evaluation? 

MR.   HURLEY:      I  think  we've  (INAUDIBLE) 
resources  to  maintain  the  GAL . 

THE  COURT:     Go  ahead. 

BY  MAJOR  VON  ELTEN: 
Q  How  is  GAL  information  stored? 

A  For  the  physical  storage  of  the  GAL  was 

maintained  on  the  two,    for  the  NIPRnet  was  NIPR  and 
SIPRnet  both  on  the  installed  at  USFI  headquarters . 
That ' s  where  the  primary  repository  was  and  then  you 
had  servers  at  each  and  every  instance  of  exchange 
order  across  Iraq. 
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Q  What  is  the  SAN? 

A  SAN  is  storage  area  network. 

Q  How  much  does  a  SAN  hold,   how  much  storage? 

A  Ours  was  in  the  hundreds  of  terabytes . 

Q  How  many    (INAUDIBLE)   are  required  for  the 

NIPR? 

A  Two,    one  primary  at  the  one  primary  at  USFA 

headquarters  and  one  another  the    (INAUDIBLE) . 

MAJOR  VON  ELTEN:     Retrieving  Prosecution 

48. 

MAJOR  VON  ELTEN. 

Handing  Prosecution  Exhibit  Number  48  to 

the  witness . 

MAJOR  VON  ELTEN: 
Q  Chief  Nixon,    do  you  recognize  this? 

A  Yes,  sir. 

Q  What  is  it? 

A  It ' s  a  CD  that  says  GAL  on  it . 

Q  Have  you  reviewed  it? 

A  Yes,  sir. 

MAJOR  VON  ELTEN:     Retrieving  Prosecution 
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exhibit    (INAUDIBLE)    I'm  handing  it  to  the  court 
reporter.     Retrieving  Prosecution  exhibit  148  Bravo  and 
handing  it  to  the  witness . 

MAJOR  VON  ELTEN:     Permission  to  publish. 
THE  COURT:  Proceed. 
BY  MAJOR  VON  ELTEN: 
Q  Do  you  recognize  this  Chief  Nixon? 

A  Yes,  sir. 

Q  What  is  it? 

A  This  is  the  —  this  is  the  output  of  a  GAL 

pool  from  one  of  the  foreign  exchange  servers  at  USFI . 
Q  How  do  you  know? 

A  The  ones  I'm  looking  at  if  I  look  at  the 

domain  names  they're  all  present  on  Iraq   (INAUDIBLE) . 
So  these  were  all  the  e-mails  addresses  that  I  stored 
(INAUDIBLE)   transferred  to  GAL  and,    of  course,  the 
string,   the  way  the  string  is  set  up    (INAUDIBLE)  that 
shows  the  SNPT  string  you  can  go  to  Outlook  and  look  at 
bring  up  two,   but  the    (INAUDIBLE)   that  would  be  the 
string  you  would  see  up  there . 

Q  What  is  a  domain? 
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A  A  domain  is  the  space  that  you're  name 

space  that  you  operate  within  a  network.     So  in  Iraq  we 
use  iraq.centcom.mil  preference  with  that  (INAUDIBLE). 
So  the  those  are  the  operating  spaces  the  named 
operating  spaces  that  you  operate  in.     So  I  each  one 
that ' s  different  from  another  represents  a  domain  that 
you  had  to  have  trust  relationships  to  be  able  to  talk 
or  communicate  across  with  another  one. 

Q  Retrieving  prosecution  47.  What 

(INAUDIBLE)   handed  you,   Chief  Nixon? 

A  You ' re  handed  me  a  CD  with  GAL  names  on  it . 

Q  How  do  you  know? 

A  I've  seen  it  before,  sir. 

Q  Retrieving  Prosecution  Exhibit  47  and 

retrieving  Exhibit  137  Bravo.     Do  you  recognize  this? 

A  Yes,  sir. 

Q  What  is  it? 

A  This  is  the  —  this  would  be  a  the  names 

that  would  you  get . 

Q  A  GAL  or  the    (INAUDIBLE)    someone.  For 

instance  if  you  were  looking  at  two  if  you  find  the 
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first  part  of  somebody ' s  name  and  hit  control  K  that  be 
what  would  you  see .     It ' s  the  users  reference  or 
interpretation  of  GAL  information . 

What  information  is  displayed  in  this? 
A  Anything  that  entered  is  well  standard  for 

military  is  first  name  last  name,    rank,    and  then  unit 
affiliation.     So,   again,   you're  able  to  tag  somebody 
down  to  what  unit  they  work  at  very  quickly  and  easily. 

MAJOR  VON  ELTEN:     Returning  Prosecution 
Exhibit  137  Bravo. 

BY  MAJOR  VON  ELTEN: 
Q  What  is  a  coop  site? 

A  It ' s  a  continuum  operation  sees  the  backup . 

Q  What's  its  purpose? 

A  For  both  military,    for  (INAUDIBLE) 

regulations  and  per  combat  operations  in  a  war 
(INAUDIBLE)   to  have  the  ability  to  abandon  all  of  your 
information.     So  for  Iraq  for  the  USFI  services  in 
Iraq,   the  Iraq  in  domains  we  created  an  installed  to  — 
allows  a  back  — 

THE  COURT:     What  it  called? 
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THE  WITNESS:     Copy  keeper.   AR500-3,  I 

believe . 

BY  MAJOR  VON  ELTEN: 
Q  What  resources  are  required  for  the  coop 

site? 

A  So  for  Iraq  we  had  maintained  real  time. 

We  had  to  maintain  real  time  replication .     So  that ' s 
why  the  nexus  fiber  channel  stitches  switches  were  the 
primary  ones  you  had  for  the  backbone  services .  It 
basically  requires  similar  storage,   nearly  the  same 
operating  the  space  and  capacity  for  the  physical 
serving  environment . 

Q  Who  had  access  to  the    (INAUDIBLE)    in  Iraq? 

A  From  a  user  perspective . 

Q  From  a  user  perspective? 

A  From  a  user  perspective  you  had  access  to 

the  call  if  your  registered  in  the  domain  to  have 
access . 

Q  What  people  would  have  registered? 

A  Only  e-mail  people  with  created  accounts . 

So  you've  designed  to  use  your  agreement 
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being  cleared  to  be  able  to  do  so  and  you  had  an 
account  created. 

Q  What  people  in  the  United  States  would  have 

access  to  such    (INAUDIBLE) ? 

A  From  the  United  States? 

Q  Yes. 

A  None . 

Q  So  what  people  in  Iraq  would  have  had 

access  to  the  USFI? 

A  The  people  who  works  on  USFI  domain? 

MAJOR  VON  ELTEN:     Retrieving  Prosecution 

Exhibit  48. 

BY  MAJOR  VON  ELTEN: 
Q  Chief  Nixon,   what  information  is  on  that 

CD? 

A  It ' s  the  list  of  GAL  e-mail  traffic  or  the 

exchange  pool  from  the  exchange  server  in  Iraq.  So  the 
e-mail  information. 

Q  How  do  you  know? 

A  As  I  said  before,   when  it  was  up  on  the 

screen  you  can  see  —  one  is  you  can  see  all  of  the 
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Iraq  domain  name  information  on  there,    and  the  SMPT 
(INAUDIBLE) .     Do  you    (INAUDIBLE)   and  you  click  e-mails 
you  would  actually  see  that  would  be  the  information 
you  would  see  in  there  in  that  context  box. 

Q  How  much  access  would  have  and  how  much  of 

the    (INAUDIBLE)   would  an  individual  user  have  access? 

A  So  within  exchange  Outlook  gives  you  a  set 

view.     That  would  be  the  information  that's  provided 
for  lack  of  a  better  term  public  consumption  within  the 
Iraq  network.     So  name,    contact  information,  those 
types  of  things,    e-mails,    if  any  groups  that  you  belong 
to  that  would  be  the  content  that  you  would  see . 

You  wouldn ' t  be  able  to  see  further 
information  like  what  your  permission  set  were  or  what 
OUs  you  belonged  to  or  domain  structure  you  belonged 
to. 

THE  COURT:  What? 

THE  WITNESS:     Each  operating  environment 
within  your  domain  structure . 

BY  MAJOR  VON  ELTEN: 
Q  What  does  OU  stand  for? 
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A  It  escapes  me  right  now,  sir. 

Q  How  many  of  the  160,000  accounts  could  the 

individual  user  see  who  had  access  to  the  GAL? 

A  All  of  them.      So  when  I  hit  control  K  in 

Iraq  at  our  IP  headquarters,    if  I  didn't  put  any 
information  in  there,    I  would   (INAUDIBLE)   approving  all 
160,000  names. 

Q  What  if  you  worked  at  headquarters  just  on 

a    (INAUDIBLE) . 

A  If  I  was  —  let's  take    (INAUDIBLE)   at  1st 

cav  headquarters,    (INAUDIBLE)   with  them  on  a  regular 
basis    (INAUDIBLE)    so  they  would  be  able  to  search  my 
GAL  for  a  targeted  individual,   but  they  wouldn't 
necessarily  see  the  USFI  headquarters. 

So  if  you're  within  a  division  structure 
you  would  see  25  or  30,000  names  within  that 
infrastructure . 

Q  How  would  a  user  access  the  other  13,000 

names? 

A  You  would  have  to  search  for  them.     As  long 

as  they're  in  the  Iraq  domain  you  would  have  to  search 
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for  them.     It's  not  a  automatic  here  you  go  and  it's 
done . 

To  keep  from  overloading  the  system,    if  you 
pulled  out  160,000  names  in  Outlook,   you  know,  you're 
just  going  lock  your  system  up.     So,   you  know,   but  do 
you  have  access  to  all  of  them?     Yes .     Can  you  actually 
pool  and  stream  the  rundown  on  all  160,000,   no;  but, 
yes,   you  have  definitely  have  access  to  all  of  them. 

Q  How  many  e-mail  accounts  were  reflected  on 

that  CD? 

A  I  want  to  say  it  was  about  24,000  were  on 

that  CD. 

MAJOR  VON  ELTEN:     Retrieving  Prosecution 
Exhibit  48.     Retrieving  Prosecution  Exhibit  47. 
BY  MAJOR  VON  ELTEN: 
Q  How  many  names  were  on  that  CD? 

A  This  names  on  the  CD  matched  the  e-mail 

exchange  list  line  for  line.  So  it  was  —  it  was  about 
24, 000. 

Q  What  names  would  be  hidden  from  GAL  in  2009 

and  2010? 
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A  We  didn't  want  to  hide  names.      In  fact,  if 

you  look  at  the  names  list,  the  first  two  names  on  the 
list  is  General  Odierno  and  General  Austin. 

Q  Who  were  they  at  the  time? 

A  They  were  the  preceding  and  incoming  USFI 

commander.      So  the  four  star  generals  in  charge  of  the 
theater  of  operation  inside  Iraq. 

MAJOR  VON  ELTEN:     Retract  the  exhibit. 
BY  MAJOR  VON  ELTEN: 
Q  Why  didn't  the  public  have  access  to  the 

NIPR  GAL? 

A  You  don't  want  public  assess  to  your  GAL. 

It ' s  not  a  —  because  of  the  information  that ' s  in 
there,    I  mean,    I  don't  need  anybody  to  have  General 
Odierno ' s  desk  number  let  alone  contact  information  and 
what  groups  they  belong  to  and  things  like  that  it ' s  a 
security  issue.     It's  not  a  public  consumption  piece. 

From  a  technical  perspective  (INAUDIBLE) 
had  to  have  access    (INAUDIBLE) .     The  NIPRnet  is  not  a 
public  access  network  regardless  of  what  people  think. 

MAJOR  VON  ELTEN:     Thank  you.     No  further 
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questions . 

CROSS  EXAMINATION 
BY  MR.  HURLEY: 
Q  Good  afternoon,  sir. 

A  How  are  you,  sir? 

Q  I'm  good.     Thank  you.     Let's  start  here. 

During  your  direct  examination  with  Captain  von  Elten 
you  called  the  active  directory  the  backbone? 

A  Yes . 

Q  And  the  backbone  is  the  resource  intensive 

element  to  this,   correct,   that  the  server  space,  the 
personnel  requiring,   they're  updating  the  active 
directory  and  they're  working  with  the  active 
directory? 

A  Well,   they  work  with  all  of  the  services. 

When  you  say  backbone,   does  the    (INAUDIBLE) .  So 
it's  — 

Q  The  anatomical  analogy  a  little  further  the 

active  directory  with  it ' s  backbone  just  having  a  part 
of  this  integrated  service? 

A  I  don't  know  if  I  would  use  that  is 
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analogy,  sir. 

Q  It ' s  a  subset  function  of  the  active 

directory? 

A  It ' s  a  direct  product  of  the  active 

directory  the  active  directory  GAL  global  address  list 
a  couple  makings  of  everything  that ' s  exists  within 
active  directory  as  fast  as  all  of  my  servers  and  users 
within  active  directory.      So  that's  where  all  of  that 
exists .     So  my  exchange  GAL  is  the  direct  product  of 
that. 

Q  You  can  turn  off  the  global  address  list  as 

part  of  the  active  directory? 

A  What  do  you  mean  turn  off,  sir. 

Q  You  can  just  stop  the  function  from 

occurring  if  someone  asked  for  the  global  access  list 
and  it  doesn't  need  to  come  up.     That  function  doesn't 
need  to  be  performed? 

A  Yes,   you  cannot  allow  a  user  access  to  the 

GAL. 

Q  But  you  in  this  hypothetical  scenario  you 

would  still  require  that  server  space  and  resource  to 
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maintain  the  active  directory? 
A  Yes. 

Q  Let's  talk  about  the  GAL.     This  is  during 

the  period  of  your  deployment,    sir,   and  as  I  understand 
it  that  was  in  February  of  2009  to  February  of  2010? 

A  Yes. 

Q  The  GAL  was  always  operational? 

A  Yes,  sir. 

Q  And  you  use  the  GAL  during  this  time? 

A  Yes. 

Q  And  you  never  had  a  problem  with  it? 

A  No,  sir. 

Q  No  one  ever  —  you  never  incurred  any 

prolonged  or  sustained  problems  with  the  GAL  during 
this  period  of  time? 

A  There ' s  always  outages  across  the  network 

that  size,   but  that  would  be  —  primary,   no,  the 
(INAUDIBLE)   never  went  down  hard,   no,  sir. 

Q  And  you  don ' t  recall  any  instruction  on  not 

to  use  the  GAL,    force  wide,   USFI  wide,    don't  use  the 
GAL  on  all  personnel  in  USFI? 
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A  No,  sir. 

Q  Now  indicated  there  are  160,000  —  when  you 

say  there  are  a  160,000  user  IDs  on  the  GAL,  that  was 
when  you  left  in  February  of  2010.  Is  that  where  you 
pinpoint  that  160? 

A  Yes,  sir. 

Q  But  Prosecution  Exhibits  47  and  48,  the 

disk,    so  there's  24,000  e-mail? 

A  Yes,    about  that,  sir. 

Q  And  the  same  24,000  I  mean  are  the  same 

24,000  people  are  on  47  and  48? 
A  Yes,  sir. 

Q  And  that  24,000  you  would  agree  with  me 

substantially  less  than  160,000? 
A  Yes,  sir. 

Q  A  point  about  the  information  on  there . 

The  phone  numbers  that  would  be  associated  with  the 
USFI  GAL  would  be  DSN  numbers,  correct? 

A  Not  all  of  them,  sir. 

Q  Some  would  be  DSN? 

A  You  also  had  commercial  cell  phones .  You 
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also  had   (INAUDIBLE)   phone  numbers  that  were  tied  to 
Iraqi  commercial  land  lines  that  there  would  have  been 
access  to  that . 

Q  (INAUDIBLE)  VOIP. 

A  Yes,  sir. 

THE  COURT:     What  is  VOIP. 
THE  WITNESS:     Digital  voice. 
BY  MR.  HURLEY: 
Q  Just  a  moment .     You  said  the  active 

directory  performs  other  tasks  besides  the  global 
address  list? 

A  Yes. 

Q  It  helps  to  establish  shared  drives? 

A  Access  to  shared  drives . 

Q  And  it  helps  with  other  network  tasks? 

A  Yes,  sir. 

Q  And  one  of  the  functions  it  ultimately  is 

to  produce  the  GAL? 
A  Yes . 

Q  And  the  GAL  there ' s  —  I   just  want  to  make 

sure  I  get  these  terms  right .     There ' s  a  GAL  as  a 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/17/13  Afternoon  Session 


whole? 

A  That ' s  right . 

Q  And  there ' s  a  GAL  that  the  user  pumps  when 

he  says  show  meet  GAL? 
A  Yes. 

Q  This  wasn't  your  first  deployment  in  Iraq, 

was  it,  Chief? 

A  No,  sir. 

Q  So  this  —  go  along  with  this  a  little  bit . 

I'm  just  going  to  give  you  what  I  understand  of  the 
process  and  you  tell  me  where  this  isn't  inaccurate. 
Soldier  deploys? 

A  Yes. 

Q  Gets  to  post  or  station  or  whatever? 

A  Yes,  sir. 

Q  And  then  there  would  be  a  lag  posted  time 

between  when  she  gets  there  and  her  e-mail  set  up? 
A  Yes,  sir. 

Q  And  then  eventually  as  we  all  hope  and  pray 

when  we ' re  in  Iraq  or  Afghanistan  there ' s  a  period  of 
deployment  ends  and  we  redeployed? 
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A  Yes,  sir. 

Q  For  a  period  of  time  the  GAL  will  still 

reflect  someone  who  has  redeployed  — 

A  Yes  for  a  period  of  time.      If  things  are 

done  right  it's  usually  24  or  48  hours.      If  not  we 
would  run  a  script    (INAUDIBLE)   was  inactive  for  longer 
than  90  days . 

Q  And  that  was  a  task  that  was  down  to  the 

lower  level  communications  folks  making  sure  that  the 
24  to  48  hours? 

A  The  low  level .     The  upper  level  —  the 

overhead  piece  was  the  script  for  the  90  days  for  the 
(INAUDIBLE) . 

Q  The  same  thing  for  someone  had  who  had  to 

leave  in  the  middle  of  deployment  never  to  return,  you 
would  hope  that  the  lower  level  communications  people 
would  take  them  off,   take  them  out  of  the  active 
directory  thereby  taking  them  out  of  the  GAL? 

A  Yes,  sir. 

Q  That's  the  process,   you  get  put  into  the 

active  directory  to  get  access  to  the  system;   is  that 
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right  ? 

A  Yes,  sir. 

Q  And  once  you ' re  in  the  system  as  user  you 

can  pull  the  GAL? 

A  Yes,    sir.      It  allows  you  to  look  on  to  your 

machine  and  you  have  visibility  or  access  to  the  GAL. 

Q  A  GAL  as  taken  at  any  particular  point  in 

time  there  would  be  people  in  country  with  just  no 
e-mail  access  set  up  yet,   that  there  would  be  people  in 
country  that  just  don't  have  their  e-mail  (INAUDIBLE) 
and  going  to  have  e-mail.     Do  you  see  what  I  mean? 

I   just    (INAUDIBLE)   that  period  of  time  we 
were  talking  about  where  my  e-mail  account  isn ' t  set  up 
yet? 

A  You  would  have  a  run  of  personnel,  yes. 

Been  there  for  the  first  24,    48,    72  hours,   maybe  up  to 
a  week,   depending  on  the  size  of  the  file  and  the 
competency  of  the  staff.     You  can  be  a  little 
(INAUDIBLE)   you  can  sit  it  around  without  access  to  the 
e-mail . 

Q  Is  that  snapshot  that  was  taken  on  a  day  of 
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those  individuals,   wouldn't  be  on? 

A  It ' s  a  possibility,   yes,  sir. 

Q  And  the  snapshot  that  was  taken  for  that 

same  day  for  people  who  redeployed  but  the  information 
just  hadn ' t  come  off  the  network? 

A  Yes,  sir. 

Q  As  we  look  at? 

MAJOR  HURLEY:     May  I  publish  Prosecution 

147. 

THE  COURT:  Yes. 
BY  MAJOR  HURLEY: 
Q  Prosecution  Exhibit  148  Bravo.     Direct  your 

attention  there . 

A  Yes,  sir. 

Q  You  indicated  on  direct  that  all  of  these 

e-mails  were  Iraq  centric  e-mails,  correct? 
A  Yes,  sir. 

Q  Now,    if  I'd  linked  up  my  AKO  would  it  show 

it  for  any  of  these  individuals? 
A  No,  sir. 

Q  It  wouldn't  show  it? 
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A  No. 

Q  Would  it  show  it  to  any  user  that  was 

accessing  the  GAL? 

A  For  instance,   when  we  created  your  account 

if  you  saved   (INAUDIBLE)   this  or,    for  instance,  when 
you  have  an  Enterprise  e-mail  account  your  Enterprise 
e-mail  account  is  linked  to  your  AKO.     So  it's  tied  — 
so  if  you  were  to  look  at  this  traffic  if  you  were  to 
look  at  this  screen  now  if  you  can  look  at  (INAUDIBLE) 
there  you  would  see  both  this  e-mail  and  that  one,  but 
your  usarmy.mil  of  this  domain    (INAUDIBLE)   of  this 
domain  unless  that  traffic    (INAUDIBLE) . 

Q  Typically  speaking  when  you  would  pull  — 

when  a  user  woulds  pull  the  user  GAL,   this  is  what 
you'd  see? 

A  Yes. 

Q  And  in  February  2010  you  wouldn't  even  see 

an  AKO  e-mail  address  up  there? 
A  No,  sir. 

Q  But  now  adays  with  mail.mil? 

A  We  did  have  a  small  number  of  personnel  who 
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had  their  e-mail  accounts  linked,    a  lot  of  a  CENTCOM 
personnel.     They  had  their  e-mail  accounts  linked.  So 
you  to  so  if  you  Major  Hurley  had  CENTCOM  business  and 
SFI  business  at  the  same  time  then  we  would  have  linked 
both  of  those  e-mail  accounts  within  that . 

Q  And  it  would  pull  them  up? 

A  It  would  only  pull  them  up  your  Iraq 

centric  e-mail,  sir. 

Q  And  at  the  time  —  at  the  time  and  this  is 

February  2010,   what  we  had  back  then  were  home  stations 
e-mail  accounts.     Let's  say  I    (INAUDIBLE) ? 

A  The  was  not    (INAUDIBLE) . 

Q  And  this  was  home  station  e-mail  address  if 

I  deployed  to  Fort  Stuart  for  Iraq  that ' s  not  reflected 
up  here,    is  it? 

A  No,  sir. 

Q  And  it  wouldn ' t  be  reflected  in  the  user 

GAL  that  you  would  pull  the  from  Iraq? 

A  Only  if  we  had  access  to  —  if  we  were 

(INAUDIBLE)   those  other  domains.     For  instance,    if  I 
could  search  CENTCOM 's  GAL  list  by  putting  these  people 
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are    (INAUDIBLE)    installed  we  had  sync  services  with 
those  services,   the  same  with  the  divisions  up  to  the 

(INAUDIBLE)   USFI  and  down  and  they  with  some  on  syncing 
with  the    (INAUDIBLE)    domain  for  Afghanistan  and  quite 
and  Qatar  you  would  be  able  to  pull  those  as  a  user 
within  the  GAL  to  authenticated  onto . 

Q  You  would  have  to  pull  them  by  name  or 

would  they  come  up? 

A  You  would  have  to  do  the  search .     I  would 

have  to  say  Hurley  control  K  and  then  you  would  have 
gotten  the  guys  in  USFI  and  anybody  we  had  in 

(INAUDIBLE) . 

Q  Help  my  me  understand.     Correct  me  if  I'm 

wrong,    Chief.      If  you  had  this  software  and  it's 
working  normally  once  the  active  directory  is 
established  then  the  GAL  function  can  occur;    is  that 
correct? 

A  Yes,    exchange  pulls  that  GAL  from  active, 

correct . 

Q  And  that ' s  as  easy  as  pushing  as  button? 

A  From  a  user  perspective,    sir,   or  from  a 
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actual  services  management . 

Q  From  a  user  perspective? 

A  From  a  user  perspective,  yes. 

Q  Any  particular  user  would  have  been  the 

access  to  all  groups  inside  the  domain? 

A  No,  sir. 

Q  And  so  the  users  access  and  the  GAL  that 

they  pull  would  reflect  the  domains  they  have  access 
to? 

A  Yes,  sir. 

Q  So  he  wouldn ' t  as  the  user  in  that  he 

wouldn't  have  had  access  to  the  entire  user  GAL? 

A  Access  and  visibility,    sir,   that's  what  I'm 

asking  for  access  or  visibility.     Access,   yes,   as  long 
as  I'm  doing  sync  with  those  other  domains  I  can  search 
and  look. 

Q  But  — 

A  But  did  you  just  do  a  control  K  and  all 

populate,   no,   sir.     They  would  require  elevated  level 
of    (INAUDIBLE)   to  be  able  to  do  something  like  that. 

Q  Just  so  I'm  clear  that  all  the  resources 
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you  talked  about  with  Captain  Von  Elten  they  are 
required  for    (INAUDIBLE)    entirety  of  the  operations,  so 
to  build  and  maintain  an  active  directory  to  do  the 
other  functions  the  active  directory  performs  as  well 
as  to  establish  a  global  address  list  or  GAL. 

A  Yes,    sir.      It's  in  all  encompassing 

servers.      (INAUDIBLE)    I  don't  have  exchange  without 
active  directory  or  any  of  those  other  services . 

Q  Now,   you  indicated,   Chief,   that  the  names 

on  the  CDs  they  matched  each  other? 

A  Right.      If  you  were  go  down  to  them  like 

the  first  two  on  the  top  of  the  GAL  General  Austin  and 
General  Odierno  on  the  other  two  it  was  also  General 
Austin  and  General    (INAUDIBLE)    e-mail  addresses. 

Q  Did  you  compare  those  names  or  the 

information  on  that  CD  to  the  global  address  as  of  May 
of  2010. 

Q  Did  you  personally  do  that?     Did  you 

personally  compare  the  information  you  were  getting  on 
the  CDs  did  you  compare  to  it  something  other  than  what 
was  on  the  CDs  to  what  you  knew  the  global  address  was 
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in  2010? 

A  No,    I  didn't  do  anything  else  other  than 

(INAUDIBLE) . 

Q  So  you  didn ' t  —  logically  you  don ' t  do  a 

line— by— line  comparison  to  those  things  and  what  was  on 
the  GAL? 

A  No,    sir.     I  could  guarantee  though  those 

were  both  General  Austin  and  General  Odierno ' s  e-mails. 
I  had  to  deal  with  them  on  a  regular  basis . 

MR.   HURLEY:     Understand  that,  Chief. 
Nothing  further,  ma'am. 

THE  COURT:     Redirect,   Major  Von  Elten . 

REDIRECT  EXAMINATION 
BY  MAJOR  VON  ELTEN: 
Q  Chief  Nixon,   how  many  e-mails  can  somebody 

send  if  the  exchange  or  network  goes  down? 
A  None . 

Q  If  somebody  downloads  the  entire  GAL  to  a 

computer,   how  many  e-mails  can  he  send  if  the  exchange 
or  network  goes  down? 

A  None . 
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Q  When  you  reviewed  the  names  on  Prosecution 

Exhibit  47? 

A  Yes,  sir. 

Q  Do  you  recognize  other  names? 

A  Actually,   there  were  a  couple  of  system 

administrator  names  belonging  to  headquarters.      If  you 
go  down  the  list  a  little  aways  there ' s  a  special  camp 
Hosen  is  the  list  and  then  there's  there  were  a  number 
of  group  accounts  that  I  recognized  like  the  catfish 
account  which  was  all  of  the  air  movement  of  the 
theater,   a  couple  of  fire  brigades    (INAUDIBLE) . 

Q  Where  were  those  people  stationed  tell  you 

the  truth? 

A  They  were  all  in  Iraq. 

Q  Were  they  part  of  USFI? 

A  Well,   actually  they  weren't  part  of  just 

USFI,  they  were  part  of  other  organizations  within 
Iraqi  as  a  whole.  They  weren't  actually  USFI  they 
belong  to  do  all  of  Iraq  different . 

Q  Were  they  part  of  the  GAL? 

A  Yes,  sir. 
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MAJOR  VON  ELTEN:     Thank  you.  Nothing 


further . 


RECROSS  EXAMINATION 


BY  MR.  HURLEY: 


Q 


Downloading,    if  a  user  wanted  to  download 


the  GAL,   was  it  prohibited?     Let  me  rephrase  my 
question . 

If  a  user  wanted  to  download  a  GAL  for  his 
brigade,   was  that  prohibited? 


to  do  that,    sir.     You  would  have  to  do  a  manual  cut  and 
paste  process  to  even  then  it  wouldn't  be  an  easily 
executable  process  without  outside  software.     It's  not 
a  user  function  to  be  able  to  download  the  GAL  as  a 
whole . 


do  you  want  to  specific  access  and  visibility  because 
they're  two  very  different  things?     Visibility  to  the 
GAL  as  a  whole  within  Iraq,   yes,   without  a  doubt  to 
actually  pull  down  and  see  all  of  the  contextual 
information  within  the  GAL  as  you  were  to  pull  down  to 


A 


Normally  a  user  wouldn ' t  have  the  ability 


That 


s  why  when  we  had  the  conversations  — 
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Excel    (INAUDIBLE)    is  a  very  different  entity,   not  a 
user  level  access  task. 

Q  Just  to  make  sure  I've  got  it  all,  Chief, 

there  can  be  an  active  directory  without  a  GAL? 

A  Yes,  sir. 

Q  But  there  cannot  be  a  GAL  without  an  active 

directory? 

A  No,  sir. 

MR.   HURLEY:  Thanks. 

THE  COURT :      I  have  a  few  questions .     Let  me 
make  sure  I  understand  your  testimony.     So  I  have  the 
active  directory  which  you  basically  have  set  up  all  of 
the  user  account  information  goes  in  and  it ' s 
structured  to  I  guess  keep  it  a  certain  way? 

THE  WITNESS :      It ' s   just  structured  to  make 
sure  all  of  my  servers  are  able  to  talk  to  one  another 
across  the  network  and  maintain  my  relationships  with 
other  servers  in  other  domains .     The  user  bill  is  just 
a  part  of  that  active  directory  function . 

THE  COURT:     So  the  user  bill  would  be,  if 
I'm  understanding  your  testimony,    in  an  active 
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directory  is  structured  such  that  users  can  go  in  and 
with  control  K  access  certain  information  about  people 
who  are  part  of  the  directory? 

THE  WITNESS:     Yes,   ma'am.     The  exchange 
server.     So  you    (INAUDIBLE)   you're  using  Outlook,  the 
exchange  server  pulls  that  information  from  active  desk 
directory  to  present  to  you  in  a  formatted  that  you ' re 
able  to  digest  so  you ' re  able  to  use  that  is 
information . 

So  if  you  hit  control  K  and  you  see  you 
and  the  other  people  with  that  the  last  name 
(INAUDIBLE)    smaller  search. 

THE  COURT:      Is  it  similar  to  Outlook  today 
where  if  you  check  addresses  or  — 

THE  WITNESS:     All  of  that  is  different 
parts  of  the  same  functionality,  ma'am. 

THE  COURT:      If  you  download  say  do  a 
control  K  and  you  get  all  of  the  addresses,   are  you 
able  to  go  to  particular  addresses  when  you  click  on 
their  names,   get  the  properties  and  other  things  at  the 
top  of  the  screen  and  then  find  out  further  information 
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about  that  from  these  addresses? 

THE  WITNESS:     Yes,  ma'am. 

THE  COURT:     So  if  you  push  control  K  is  it 
like  a  database  thing? 

THE  WITNESS:      It's  a  quick  key  function, 
ma'am,    for  the  same  thing.     That's  all  it  is.  If 
you're  talking  about  if  you  bring  up  the  two  functions, 
you  start  typing  in  names,   the  same  thing.     Control  K 
is   just  a  quicker  way  to  do  it .     That ' s  all  it  is . 

THE  COURT:     Any  follow-up  questions 
based  on  mine? 

MAJOR  VON  ELTEN:     No,  ma'am. 

MR.   HURLEY:     No,  ma'am. 

THE  COURT:     Temporary  or  permanent 

(INAUDIBLE) . 

MAJOR  VON  ELTEN:  Temporary. 

THE  COURT:     Let  me  make  sure  I  don't  have 
any  final  questions  here .      I  don ' t  think  I  do .     You  are 
temporary  excused.     Please  don't  discuss  your  testimony 
or  knowledge  of  the  case  with  anyone  but  the  lawyers  or 
the  accused  while  the  trial  is  going  on. 
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MAJOR  FEIN:     United  States  requested 

(INAUDIBLE) . 

THE  COURT:     Court  is  in  recess  until  3:30. 
(Hearing  recessed  at  3:20  p.m.) 
(Hearing  resumed  at  3:30  p.m.) 

Whereupon, 

CHIEF  WARRANT  OFFICER  ARMOND  ROUILLARD, 
called  as  a  witness,   having  been  first  duly  sworn  to 
tell  the  truth,   the  whole  truth  and  nothing  but  the 
truth,   was  examined  and  testified  as  follows: 

DIRECT  EXAMINATION 
BY  MAJOR  FEIN: 
Q  You  are  Chief  Warrant  Officer  Armond 

Rouillard  ruin  of  United  States  Army  first  IO  command? 
A  Yes,  sir. 

Q  Thank  you. 

Chief,   what  is  your  current  position  at 
United  States  Army  first  IO  command? 

A  I'm  the  senior  tech  advisor  for  the 

Lieutenant  commander  for  secretary  bat  first  IO. 

Q  What  does  it  mean  to  be  the  senior  tech 
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advisor? 

A  To  advise  him  on  anything  that  affects  the 

battalion  mission .     So  one  of  our  missions  is  the  cyber 
op  4  teams,   and  we  use  them  to  test  brigades  that  are 
getting  ready  to  deploy  through  attack  networking, 
attack  methodology.     And  so  I'm  responsible  for  the 
training  and  maintenance  of  those  guys . 

Q  And  is  that  the  mission  of  the  first  IO 

command? 

A  Yes,   the  vulnerability  assessment  of  our 

networks  for  the  Army. 

Q  And  I  guess  how  broad  or  how  comprehensive 

is  that  charter? 

A  Pretty  wide .     Up  until  very  recently  they 

also  managed  the  regional  certs  which  are  directly  we 
have  those  based  across  the  United  States .     So  we  have 
cert  for  conce  for  the  United  States  in  Fort  Huachuca . 
We  have  one  for  the  southern  area .     So  first  IO  manages 
those  guys  and  they ' re  responsible  for  detecting 
attacks  or  responding  to  intrusions  or  unclassified 
spillages  across  networks . 
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Q  What's  a  cert? 

A  Computer  emergency  response  team. 

Q  And  is  that  what  the  first  IO  command  team 

does,    still  manages  the  certs? 

A  Not  any  more.     We  assist  with  it,    sir,  but 

that  mission  is  passed  to  the  Army  cyber,   but  we're 
still  in  the  business  of  helping  those  guys,   but  we 
also  have  the  Army's  red  team,   blue  team,   green  team. 
The  guys  that  go  out  and  help  tactical  units  with 
network  assessments  for  vunerabilities  and  bring  guys 
in  later  to  give  them  reports . 

Q  And  you  just  threw  out  three  colors,  red, 

blue,   and  green.     Could  you  explain  for  the  Court  what 
a  red,   blue,   and  green  team  are? 

A  So  when  a  mission  gets  ready  to  deploy 

probably  about  nine  months  out  or  so  they  stand  up  all 
of  their  network  systems  and  they  prepare  to  deploy. 
And  the  first  team  they  get  is  what  we  call  a  blue  team 
which  comes  in  and  does  an  initial  assessment . 

It  will  assess  the  network,    go  look  for 
vunerabilities,    find  of  them,    figure  out  what  their 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/17/13  Afternoon  Session 


64 

general  posture  is  because  a  lot  of  these  systems 
fielded  from  PMs  and  they  might  have  default 
configuration . 

We  go  through  a  process  where  the  blue  team 
comes  out  and  does  an  assessment  does  and  gives  a 
report  back  to  the  commander .     After  they ' ve  had  a 
little  bit  then  maybe  a  month  or  so  then  a  green  team 
comes  out  and  does  pretty  much  the  same  thing,   will  sit 
there  and  help  the  unit  configure  their  equipment  to 
meet  the  suggested  configuration  changes  so  they ' re  not 
in  default  configuration  protecting  them  from  attacks . 

Later  on  probably  three  or  four  months 
before  they  deploy  during  an  MRX  or  a  war  fight  or  some 
exercise  they'll  have  the  red  team  come  out  which  is 
one  of  the  final  stages  and  the  red  team  will  simulate 
the  enemy  and  try  to  attack  their  network  through 
social  engineering  or  other  cyber  attack  type  tools  and 
then  again  they  give  a  report  back  to  the  commander  on 
how  effective  they  were,   what  configuration  changes 
they  need.     All  of  that  happens  at  home  station. 

The  final  part  of  that  assessment  is  the 
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cyber  op  4  teams  which  2nd  battalion  first  IO  has  and 
as  the  brigade  is  at  JRTC  getting  ready  to  deploy  they 
again  stand  up  but  the  commanders  now  in  his 
operational  focus . 

We  have  the  op  4  guys  on  site  simulating 
enemy  and  trying  to  break  into  their  systems  to 
demonstrate  to  the  commander  what  the  affects  of  the 
cyber  domain  are . 

Q  And  you  just  used  two  other  terms .     Can  you 

explain  for  the  Court  what  you  mean  by  attacks,  prevent 
attacks? 

A  Right .     So  we  perform  a  lot  of 

vulnerability  assessment,    looking  at  the  networks  or 
the  configurations  or  of  their  network  equipment  or 
their  services  or  Enterprise  level  conversations  like 
active  directory  or  exchange  and  we  assess  it  for 
vulnerabilities  to  help  them  defend,   better  help  them 
implement  the  appropriate  configurations  into  their 
systems . 

Q  And  which  networks  are  you  talking  about? 

A  Prism  SIPRnet . 
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Q  What  about  NIPRnet  also? 

A  We  do  also  assist  with  the  assessment  of 

those,   primarily  at  CTCs  they  only  scan  up  the  SIPRnet, 
but  the  if  they  bring  out  a  NIPRnet  then  we ' 11  also 
enter  those . 

Q  What  is  your  current  branch  and  MOS? 

A  255  sierra. 

Q  What  is  that? 

A  It ' s  an  information  protection  technician . 

So  about  2008,    2007/2008  the  Army  realized  that  we  had 
this  cyber  domain  similar  to  air,    sea,   land.     We  also 
encountered  a  lot  of  combat  in  the  cyber  domain. 

So  realizing  we  needed  to  fill  that  defend 
that  gap  the  warrant  officer  corp  assessed  the  signal 
warrant  assess  that  had  we  needed  to  provide  additional 
training  to  help  our  guys  be  the  technical  experts  on 
the  ground  for  protecting  this  domain. 

So  created  a  255  sierra  MOS  which  is  fed 
from  the  Alphas,   the  255  Alphas,   the  255  Novembers 
which  are  signal  warrants.     They're  an  assessment 
process .     They  have  IA  level  3  which  requires  a  certain 
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level  of  certification.     They  submit  a  resume  which  is 
a,   you  know,   a  raw  define  skill  set  that  they've  worked 
in  the  information  assurance  field  and  then  their  given 
an  assessment  exam,   and  if  they  meet  all  of  those 
requirements  they  come  to  Fort  Gordon  to  the  255  sierra 
course  and  attend  about  six  months  in  training  on 
network  defense  capability  such  as  forensics,  perimeter 
defense,   pen  testing,   which  is  that  vulnerability 
assessment  from  the  outside  trying  to  attack  into  a 
network  and  looking  for  a  way  it  can  be  exploited, 
incident  handling  and  other  cyber  domain  relates 
skills . 

Q  And  what  year  was  the  255  sierra  MOS 

created? 

A  Officially  we  started  flagging  warrant 

officers  at  255  sierra  just  this  past  year.     We've  been 
training  them  since  2009  or  2010  I  believe,  right 
around  in  that  period.     We  started  design  of  the  course 
in  about  2008  and  I  was  one  of  the  guys  that  they 
reached  out  and  said,   what  needs  to  be  in  this  course 
because  I  had  been  working  the  field  for  a  while  on 
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this  when  we  asses  we  kind  of  did  a  lot  of  broad  sweeps 
looking  for  what  commanders  were  looking  for,   what  were 
the  holes  that  we  can  fill  as  signal  warrant  officers 
to  fill  that  gab. 

It ' s  been  successful  to  the  model  to  the 
point  that  the  signal  corp  is  now  also  developing 
similar  tracks  for  our  enlisted  and  for  our  officers . 

Q  And  what  was  your  role,   or  excuse  me,  have 

you  ever  taught  in  the  field  of  cyber  security? 

A  I  have.     So  I  was  one  of  the  eight 

selected  —  one  of  the  initial  instructors  for  the  255 
sierra  course.     A  lot  of  especially  in  this  type  of 
field  in  the  cyber  field  you  have  specialization . 

So  my  specialization  was  securing  Windows 
environments  and  the  pen  testing  area. 

Q  And  again  what  specifically  is  pen  test, 

not  to  technically,    just  in  layman  terms? 

A  To  attack  or  assess  a  network  from  an 

external  view  kind  of  thing.      So  you're  assessing  that 
network  posture  looking  for  potential  ways  that  an 
adversary  can  exploit  it  for  their  gain . 
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Q  How  long  did  you  instructor,   teach  as  a  255 

sierra? 

A  Three  and  a  half  years . 

Q  Are  you  still  currently  instructing? 

A  I  do  actually .     So  I ' m  twice  a  year  I 

travel  back  down  to  Fort  Gordon  TDY  and  I  teach  the 
securing  Windows  block . 

Q  What  do  you  mean  by  securing  Windows? 

A  Part  of  our  courseware  is  based  on  industry 

standards.      Sands  is  a  well  known  corporation  for 
training  in  this  field.     So  the  Army  uses  sands 
training  for  portions  of  ensuring  that  our  information 
protection  warrants  are  trained  properly  and  certified 
according  to  industry  standard. 

So  one  of  the  courses  we  have  is  the 
securing  Windows  and  preventing  mallware  which  I'm 
responsible  for . 

Q  And  you  spoke  about  certifications,  what 

type  of  certifications  do  you  have? 

A  I  have  a  number  of  certifications .  I 

started  certifying  as  a  system  administrator.     So  I 
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have  various  Microsoft  certifications  in  administration 
such  as  certificate  2003,   2008.     I  have  exchange 
certifications  for  —  and  all  the  Microsoft 
certifications  are  based  on  knowledge  and  expertise  and 
experience  for  whatever  you've  been  certified  in. 

In  the  cyber  field  I  also  have  six  GS 
certifications  which  are  the  certs  that  we  use  to 
standardize  or  training  for  the  255  sierras  and  some  of 
those  would  be  securing  Windows,   pen  testing,  incident 
handling,    securing  the  perimeter  and  a  couple  of 
others . 

Q  And  what  do  you  mean  by  securing  the 

perimeter? 

A  Securing  the  perimeter  involves  all  of  the 

network  type  gear  that  would  be  on  the  external  part  of 
a  network .     So  you ' d  have  the  user  part  of  the  network 
where  a  lot  of  computers  plug  in.     You  have  the 
services  part  of  the  network  where  you've  got  your 
servers  and  your  Enterprise  level  services  such  as 
SharePoint  and  exchange,   and  then  you've  got  the 
perimeter  with  your  firewalls  and  your  intrusion 
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detection  devices  and  router  configuration  and  that 
kind  of  thing. 

Q  What  were  are  your  duties  or  your 

assignment  prior  to  being  assigned  to  first  IO  command 
at  Fort  Belvoir? 

A  Prior  to  that  I  was  an  instructor  at  Fort 

Gordon .     Before  there  I  worked  at  the  Microsoft 
security  response  center  for  a  year  on  a  training  with 
industry  programs . 

So  the  military  has  a  program  where  they ' 11 
take  a  green  suiter,   put  us  into  a  civilian 
corporation,   and  I  had  the  luck  of  working  at  Microsoft 
in  the  place  where  they  handle  all  of  the  zero  day 
exploits  that  Microsoft  works  with,   and  a  zero  day 
exploit  is  something  such  as  an  exploit  that  they ' re  no 
known  patch  for  that  vulnerability  for  yet  and  those 
are  highly  valuable . 

So  the  Microsoft  security  MSRC  really 
taught  me  a  lot  how  corporations  deal  with  this  threat 
of  mallware  or  malicious  software  vunerabilities  in 
their  operating  systems  and  how  they  respond  to  it  and 
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how  about  they  triage  it  and  how  their  teams  handle  it 
at  the  program  manager  level  type  of  thing. 

Then  prior  to  —  so  walking  backwards, 
prior  to  working  at  MSRC  I ' ve  been  a  system 
administrator  at  the  BCT  in  the  division  level  since 
' 94  and  prior  to  that  was  phones . 

Q  What  about  your  experience  with  mail  server 

certifications  or  e-mail  certifications . 

A  Since  from   '94  through  —  1994  through  2007 

I  ran  Enterprise  level  services  for  the  Army  at  the 
brigade  and  division  level .     That  includes  active 
directory  exchange,   SharePoint,   update  servers,  client 
management,   building  the  local  network,    configuring  the 
local  network .     That  kind  of  stuff . 

The  easiest  way  to  sum  that  up  is 
commanders  expect  garrison  style  services  in  a  tactical 
environment .     So  that ' s  what  we  provide . 

Q  In  your  current  capacity  what  echelons  do 

you  currently  work  with  within  the  command  structure? 

A  I'm  not  really  sure  — 

Q  You  had  previously  testified  that  you  at 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/17/13  Afternoon  Session 


first  IO  command  provide  red  team   (INAUDIBLE)  for 
support .     At  what  level  do  you  provide  that  support  to? 

A  Yes,    sir.     Any  unit  that  requests  it.  So 

it  would  be  anywhere  from  a  strategic  unit  that ' s  a 
base .     It  could  be  Fort  Meade  would  request  a  pen  test . 
It  could  be  a  command  unit  such  as  Army  cyber .  Army 
cyber  may  request  a  pen  or  it  could  be  a  single  brigade 
combat  team.     So  the  scope  ranges  pretty  wide. 

Q  Have  you  deployed  before? 

A  Yes,    sir.     I  deployed  a  couple  of  times. 

The  last  two  deployments  were  with  1st  cav  into  Iraq? 
2004/2005  and  2007/2008.  I  was  one  of  the  two  senior 
warrant  officers  in  the  G6  for  the  division  at  MNDB. 

Q  Who  what  was  your  role  during  those  two 

deployments?     What  were  your  duties? 

A  Me  and  my  other  chief  we  managed  all  of  the 

Enterprise  level  services  and  the  network  that 
supported  the  3,000  clients  that  were  on  Camp  Liberty, 
and   (INAUDIBLE)    so  first  deployment  we  managed  a  active 
directory  and  exchange  configuration  for  —  I  can  use 
file  names . 
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Q  Yes. 

A  Camp  Fagi,    Camp  Felton,    green  zone  and  Camp 

Liberty  tied  all  of  those  together  in  a  single  network 
that  spanned  the  wide  area  network  across  Baghdad,  and 
then  the  second  deployment  BCTs  we  assisted  the  BCTs  in 
standing  up  their  own  domain  level  services .     So  we 
didn ' t  have  as  much  network  traffic . 

Q  When  you  say  expand  the  wide  area  network, 

briefly  explain  what  you  mean? 

A  Tactical  networks  when  we  put  in  tactical 

networks .      It ' s  very  similar  to  a  commercial  network 
just  a  much  more  limited  availability.      So  like  Fort 
Meade  is  tied  to  Fort  Belvoir  across  a  network  both 
with  phone  and  with  data,   but  in  a  tactical  environment 
the  Army  has  to  put  those  systems  in. 

So  we  have  signal  assemblages  through 
satellite  or  on  a  site  that  will  establish  the 
conductivity  which  introduces  some  unique  variables 
into  signaling  where  we've  got  to  manage  band  width  a 
lot  better  than  in  a  garrison  environment,   but  it 
allowed  us  to  connect  —  having  all  of  the  servers  on 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/17/13  Afternoon  Session 


Camp  Liberty  for  the  first  deployment  allowed  to  us 
manage  all  of  the  users  in  one  location  rather  than 
having  them  scattered  across    (INAUDIBLE) . 

Q  Is  that  true  for  SIPR  and  NIPR. 

A  Yes,    sir,    and  CENTRIS . 

Q  What  is  that? 

A  We  call  it  the  blue  network .     So  it ' s  a 

network  that ' s  higher  than  unclassified  but  lower  than 
SIPR  that  we  share  classified  information  with  our 
coalition  partners,   whoever ' s  in  that  area.     There's  a 
CENTRIS  Iraq,   there's  a  CENTRIS  Afghanistan,   there  are 
separate  networks  that  have  a  certain  pool  of  coalition 
partners  that  ever  access  to  that  network. 

Q  And  earlier  you  said  that  when  you  set  up  a 

network  technically  you  have  to  be  concerned  about 
limited  availability.     What  do  you  mean  by  that? 

A  Primarily  the  band  width.     So  here  to  Fort 

Belvoir  in  a  garrison  environment  we  have  a  very  large 
data  pipes  and  it  doesn ' t  really  matter  what  users  do 
because  the  network  will  support  it . 

In  a  tactical  environment  we  try  to 
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limit  —  we ' re  much  more  cognizant  of  users  on  the 
network  because  it  directly  affects  missions  that  are 
going  on.      If,    for  instance,    I've  got  a  lot  of  people 
surfing  the  web  doing  recreation  browsing  it  may 
directly  affect  the  commander  battle  update  brief  or  it 
might  affect  a  UAD  theater  or  something  else .     So  we ' re 
very  aware  of  monitoring  band  width. 

Q  When  setting  up  this  tactical  network  at 

least  for  NIPR,    does  that  access  to  the  information  on 
NIPR  network? 

A  So  who  has  access  to  NIPRnet?     Just  about 

ever  soldier  in  the  deployed  environment  who  would  have 
access  to  the  computer.     Most  all  of  the  computers  are 
plugged  into  it . 

Q  What  is  USFI? 

A  That ' s  when  I  was  deployed  it  was  the  MNCI . 

That's  U.S.    forces  Iraq.      So  that's  what  MNCI  morphed 
into  after  my  departure  from  the  theater .  It's 
basically  what  I  call  the  corp  headquarters .     So  it ' s 
the  higher  headquarters  that  manages  all  of  the 
divisions  in  Iraq. 
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Q 


When  you  were  in  Iraq  in  2008,   what  client 


did  MNCI  use  to  manage  e-mail  in  Iraq? 


A 


They  use  Outlook.     Outlook  is  the  user 


client  that  resides  on  the  work  station .     The  Army  has 
chosen  to  use  Microsoft  products  for  their  Enterprise 
solutions.      So  the  brigade,   divisions,    and  corps  and 
all  of  them  are  fielded  for  their  Enterprise  level 
services,  Microsoft  server  for  the  user  management, 
Microsoft  exchanges  for  the  mail,    and  Microsoft 
SharePoint  for  document  sharing.     Those  are  the  primary 
three  Enterprise  level  type  services  that  you  would 
encourage . 


the  e-mail  addresses  available  to  a  user  to  send  e-mail 
to. 


Q 


What  is  a  global  address  list  or  a  GAL? 


A 


The  global  address  list  is  a  list  of  all  of 


Q 


And  what  networks  had  a  GAL  in  Iraq? 


A 


All  three  of  them  the  NIPR,    SIPR,  and 


CENTRIS. 


Q 


Who  had  access  at  least  to  the  NIPR? 


A 


Anyone  who  had  — 
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MR.   HURLEY:     Personal  knowledge. 
MAJOR  FEIN:      I'll  ask  a  foundational 

question . 

BY  MAJOR  FEIN: 
Q  When  you  were  in  Iraq  in  2007  to  2008  who 

had  access  to  the  GAL? 

A  Anyone  with  access  to  the  NIPRnet  that 

had  —  anyone  who  had  assess  to  the  NIPRnet  that  had  a 
user  account . 

THE  COURT:     How  do  you  know  that? 

THE  WITNESS:     Ma'am,   all  user  accounts  have 
an  e-mail  address  and  to  get  access  to  the  GAL  they 
just  open  up  Outlook  and  the  GAL  is  there . 

CAPTAIN  TOOMAN:      In  2007  and  2008  was  not 
necessarily  true  in  2009  and  2010  which  is  the  time 
frame  at  issue. 

THE  COURT:     Are  you  going  to  carry  this 

over? 

MAJOR  FEIN:      I  may  ask  additional  questions 
for  foundation . 

BY  MAJOR  FEIN: 
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Q  How  many  years  have  you  been  working  with 

Microsoft  products  dealing  with  e-mail? 

A  Since  Microsoft  exchange  I ' ve  got  five 

which  would  have  been  around  '98,    ' 99  I  believe. 

Q  Have  you  worked  with  you  said  Microsoft 

exchange  at  the  time  5.5  or  something  and  it ' s 
successors  since  then? 

A  Yes.     So  5.5  to  2000,    2003,   to  2010,    I'm  a 

Microsoft  trainer .     So  I  constantly  work  with  the 
Microsoft  products.     For  the  Signal  Corp  for  the  signal 
warrant  officers  I  instruct  a  five— day  block  for 
exchange  server . 

Q  And  in  your  current  capacity  or  in  your 

capacity  as  a  trainer  and  your  capacity  at  first  cyber 
command  do  you  have  personal  knowledge  of  the  different 
types  of  —  Microsoft  Outlook  and  exchangers  used 
across  the  Army  on  NIPRnet? 

A  I  am. 

Q  Including  and  at  the  time  Iraq  and 

currently  in  Afghanistan? 

A  Yes,    sir.     So  the  systems  that  the 
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brigades,   divisions,    and  corp  use  is  quality  BCCS  or 
battle  command  and  control  system.     It's  a  system 
fielded  by  tactical  battle  command  on  all  of  the  active 
duty  signal  units  that  provides  their  Enterprise  level 
services .     All  of  them  are  fielded  the  same . 

We  train  all  of  the  soldiers  at  Fort  Gordon 
on  how  to  operate  these  systems .     They  have  a  general 
consistency  on  how  they  are  configured  and  fielded. 

Part  of  that  fielded  is  their  active 
directory  configuration  and  exchange  configuration  and 
so  on,   their  SharePoint  configuration. 

Q  I'm  sorry,   Chief,   was  that  true  in  2997? 

A  Yes,  sir. 

Q  Was  that  true  in  2008? 

A  Yes,  sir. 

Q  Was  that  true  in  2009? 

A  Yes,  sir. 

Q  What  about  2010? 

A  Yes . 

Q  2011? 

A  Yes. 
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Q  Today? 

A  Yes,  sir. 

MAJOR  FEIN:       Your  Honor,  probably 
foundation  has  been  laid  here  on  whether  the  witness 
knows  whether  Microsoft  Outlook  was  used  in  Iraq  during 
the  time . 

THE  COURT:     Overruled.      So  why  are  we 
talking  about  2007  and  2008? 

MAJOR  FEIN:     Ma'am,   the  only  reason  for  the 
2007/2008  is  simply  to  lay  a  foundation  for  Chief 
Rouillard  being  qualified  as  an  expert  in  global 
address  lists,   their  value,   cyber  threats. 

THE  COURT:     All  right.     You  heard  what  the 
government  wants  to  do.     Are  you  going  to  object  to 
this  expert  or? 

MR.   TOOMAN:     We  are  objecting. 

THE  COURT:     Foundation,  relevance, 

overruled. 

BY  MAJOR  FEIN: 
Q  Who  had  —  who  again  going  back  to  Iraq, 

who  had  access  to  the  NIPR  GAL  in  2010? 
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A  All  personnel  who  worked  in  a  staff 

environment  or  needed  access  to  e-mail  for  their  daily 
duties  would  have  had  access .     Basically  if  they  had  an 
e-mail  address  and  had  an  active  account  they  had 
access  to  the  GAL. 

Q  Could  any  personal  on  there  have  access? 

A  They  could,   but  you  would  need  a 

demonstrated  I  need  to  have.     So  we  had  a  large  number 
of  soldiers  in  theater,   a  lot  of  soldiers  were  doing 
other  duties  that  didn't  require  e-mail.     So  if  they 
were  on  a  team  that  kicked  in  doors  or  something  like 
that  or  went  out  constantly  they  wouldn't  necessary 
have  an  e-mail  account . 

Q  Who  outside  the  Army  or  Department  of 

Defense  had  access  to  it? 

A  To  our  e-mail  servers? 

Q  Correct . 

A  Nobody . 

Q  How  is  a  GAL  created? 

MR.   TOOMAN:  Objection. 
THE  COURT:  Overruled. 
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THE  WITNESS:      So  the  GAL  was   just  a  list  of 
e-mail  addresses.     I  say  just,   but  it's  a  list  of 
e-mail  addresses  that ' s  created  automatically  when 
mailboxes  created  for  that  user.     When  you  go  into  an 
exchange  server  and  create  a  user  mailbox  an  e-mail 
address  is  created  and  added  into  a  different  portion 
of  the  exchange  server . 

The  exchange  server  takes  all  of  those 
e-mail  addresses,   compiles  them  into  what's  called 
the  GAL  and  creates  a  GAL  for  that  server.      In  Iraq 
or  in  our  deployed  environment  or  even  in  the 
corporations  connectors  are  put  between  different 
exchange  servers .     Those  exchange  servers ,   such  as  a 
brigade  and  its  division,   will  then  exchange  a  copy 
of  their  GALs  to  keep  it  simple .     They  exchange  a 
copy  of  their  GALs  and  then  get  one  larger  GAL  with 
the  division  and  the  brigade  and  that  happens  up  the 
chain  so  to  speak. 

So  MNCI  or  USFI  that  division  GAL  which 
has  been  build  with  all  of  the  brigades  in  the 
division  gets  replicated  to  the  corp  level  and  now 
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that  single  corp  level  is  replicated  across .     That ' s 
why  you  can  sit  in  2nd  brigade  4 ID  and  e-mail 
somebody  in  2nd  brigade  1st  cav  who  sit  next  to  each 
other  but  are  on  different  servers  because  they 
share  a  common  GAL,    and  that's  why  we  do  it. 
BY  MAJOR  FEIN: 

Q  So  your  very  first  step  you  said,   once  the 

user  information  is  input,   what  do  you  mean  by  that? 

A  So  as  certain  users  need  access  to  active 

directory  or  an  e-mail  account .     When  that  user  account 
is  created  they're  given  an  e-mail  address.  That 
e-mail  address  for  us,    for  1st  cav,    from  2003  to  when  I 
left  and  even  now  we  train  guys  at  track  now  we  train 
them  to  use  the  AKO  mail . 

So  for  instance  myself  my  Army . rouillard, 
instead  of  being  at  usarmy.mail  is  at  lCDArmy .mail .  Do 
that  for  a  number  of  reasons .     If  I  have  a  bunch  of 
John  Smiths  in  the  brigade  that  John  Smith  is  the  same, 
I  don ' t  have  to  worry  about  deconf licting  it  because 
AKO  or  the  U.S.   Army  mail  has  already  deconf licted  all 
of  that . 
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So  if  Captain  Smith  id  John . smith  there  on 
AKO  when  he  gets  his  account  created  in  the  brigade 
server  he'll  be  John . smith3@2BCTlID . 

Q  When  you  talk  about  account  creation,  who 

does  that? 

A  Normally  the  G6  help  desk  or  the  S6  help 

desk  will  do  it  or  the  tech  guys,   but  it's  most  always 
in  the  S6,    G6  area. 

Q  So  in  order  to  have  e-mails  populate  GAL 

what  must  a  potential  user  do? 

A  You  must  request  and  account . 

Q  And  then  what  happens  with  that  request? 

A  It's  given  to  the  G6  area,   the  help  desk 

and  they  either  approve  it  or  disapprove  it.     If  they 
approve  it  they  create  the  account . 

Q  And  briefly  how  does  an  account  get  created 

by  that  individual  soldier? 

A  So  there ' s  two  parts  to  it  because  there ' s 

active  directory  in  exchange .     So  I  have  to  create  the 
active  directory  account  first  which  normally  was  our 
help  desk  it  would  be  Specialist  stone  was  my  guy.  He 
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would  sit  down,   open  the  terminal,   open  up  the  active 
directory  management  tool  and  create  the  user  account 
from  the  request  form  that  was  filled  out  by  the  person 
requesting  the  account . 

It  would  have  such  things  as  first  name 
last  name,   AKO  mail  address,   unit  you've  worked  in,  any 
potential  distribution  lists  you  need  to  be  on. 

Distribution  list  is  just  a  collection  of 
e-mail  addresses  I  could  e-mail  quickly.     So  if  wanted 
to  e-mail  command  group  I  could  e-mail  command  group  at 
(INAUDIBLE)    and  it  would  go  to  everybody  in  that  group. 
So  you  might  have  a  number  of  those . 

So  that  active  directory  account  gets 
created  so  that  they  can  log  into  the  domain  and  then 
an  e-mail  account  is  then  created  which  creates  a 
mailbox  for  them  and  gives  them  their  actual  mail 
address . 

Q  So  from  receipt  of  the  request  form  to 

completion  of  an  e-mail  account  to  population  into  the 
GAL,   how  much  time  is  a  single  soldier  or  person 
spending  on  that  one  e-mail  account  on? 
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A  If  it's  an  individual  one,   probably  10,  15 

minutes  from  the  time  they  get  the  form  to  filling  out 
all  the  information  to  it  populating.     There  are 
automated  tools  that  allow  us  to  do  that  that  sometimes 
we ' 11  prep  before  we  deploy  so  we ' 11  have  spread  sheet 
with  a  bunch  of  information  already  filled  out  and  we 
can  input  it  all  at  once,   but  historically  it's  been 
easier  for  us  just  to  get  the  forms,   fill  it  out  from 
the  form  and  put  it  in . 

Q  What  other  resources  other  than  the 

soldiers  or  civilians  you  just  spoke  about  are  required 
to  create  the  GAL? 

A  The  soldiers  work  station  in  the  help  desk 

area  that  he's  working  on,   the  software  that's  running, 
and  then  the  server  resources  that  the  account  is  being 
created. 

Q  And  again  briefly  what  do  you  mean  by 

server? 

MR.   TOOMAN:     We'll  object  on  — 
THE  COURT:  Overruled. 
BY  MAJOR  FEIN: 
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Q  And,    in  general,   what  are  the  different 

types  of  exchange  server  resources  you ' re  talking 
about?     Please  explain  for  the  court? 

A  So  to  run  a  server  you  have  the  physical 

box  or  the  server  itself.     There's  the  power  that 
supports  the  server.     There's  the  room  that  the  server 
has  to  sit  in.     There's  the  air  conditioner  that  you 
have  to  buy  to  cool  the  servers,   the  network  cabling 
all  has  to  be  built,   network  configuration,   that  has  to 
occur  to  allow  the  servers  to  talk,   and  then  there's 
also  the  update,   the  security  configuration  and  all  the 
management  of  that  server. 

BY  MAJOR  FEIN: 

Q  And  when  you  talk  about  management  of  the 

server,   what  do  you  mean? 

A  Anything  from  daily  backups  to  reviewing 

logs  for  potential  problems .     With  e-mail  servers 
specifying  you'll  have  —  if  you  type  an  e-mail  wrong 
it  will  hang  in  the  queue,   and  with  tactical  networks 
that ' s  an  issue  because  it ' s  trying  to  send  out  these 
mails  and  it ' s  bouncing  against  the  queue  so  it  chugs 
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it  up . 

So  you'll  go  in  and  check  your  queue,  make 
sure  your  queues  are  clear,  make  sure  somebody  is  not 
sending  out  the  10  meg  powerpoint  slide,   that  kind  of 
thing.     So  somebody  will  periodically  go  in  there  and 
review  the  outbound  or  the  inbound  queue  or  see  if 
there ' s  any  trouble . 

Q  Specifically  what  about  for  the  GAL 

before  —  I'm  sorry,    let  me  ask  you  this. 

How  do  you  separate  the  resources  either 
physical  resources,    equipment,    or  the  soldier  resources 
from  operating  and  maintaining  and  creating  the  GAL 
versus  everything  else  you've  just  talked  about  the 
active  directory  and  the  other  portions  of  Microsoft? 

A  Corporations  have  separated  that  pretty 

well.     They'll  have  active  directory  administrators. 
They'll  have  exchange  administrators.     They'll  have 
very  narrow  lanes .     For  the  Army  we  have  a  much  more 
limited  pool  especially  at  the  brigade  and  division 
level .      So  we  train  our  guys  how  to  do  everything  which 
gives  them  a  much  wider  scope  of  authority,   but  their 
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workload  increases  which  is  okay  because  we  work  12  to 
14  hours  a  day,   especially  deployed.     So  we  don't  care, 
but  the  same  guy  that  creates  the  e-mail  server  account 
will  create  the  active  directory  account,   will  also  go 
in  and  set  up  the  client ' s  work  station .     So  it  may  be 
one  guy  from  receiving  that  request  all  the  way  to 
configuring  the  e-mail  client . 

Q  And  going  back  to  you  testified  just  a 

moment  ago  about  deconf licting  issues,  powerpoint 
slides  that  might  be  too  big.     About  how  much  time  does 
typically  is  a  soldier  dedicated  to  those  tasks 
spending  just  to  maintain  the  GAL? 

MR.   TOOMAN:     Objection,   personal  knowledge. 

THE  COURT:  Overruled. 

THE  WITNESS:      So  maintain  the  local  GAL  is 
relatively  easy  15,    30  minutes  a  week  that  you  go  in 
and  check  it .     As  soon  as  you  take  that  address  list 
and  connect  it  to  somebody  else  such  as  another  brigade 
or  division  or  a  corp  or  something  now  you  have  an 
expediential  growing  scope . 

A  lot  of  what  we  saw  happen  was 
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duplicating  e-mail  addresses  because  as  long  as 
everyone  put  them  in  sequence  everything  stayed  the 
same  and  you  only  had  one  copy,   but  if  two  brigades, 
for  instance,   connected  to  each  other  and  shared  the 
same  GAL,    if  this  brigade  and  this  brigade  are 
sitting  right  next  to  each  other  and  they  are  put  a 
connector  in  without  direction  from  division,  the 
GAL  gets  replicated  twice  and  now  you  have  duplicate 
accounts  and  somebody  has  to  go  through  and  clean 
that  up  and  trouble  shoot  it . 

For  us  1st  cav  we  spend  anywhere  from 
three  to  six  hours  a  week  working  on  GAL  or  address 
list  type  issues. 

Q  And  that ' s  just  at  the  division 

headquarters  ? 

A  Yes,  sir. 

Q  And  you  said  local  GAL,   what  about  at  the 

brigade  headquarters? 

A  So  brigade  would  be  the  local  GAL . 

Wherever  the  local  server  is .  So  when  I  say  GAL  I  more 
mean  the  entire  address  list  that ' s  been  shared  between 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/17/13  Afternoon  Session 


more  than  one  server .     Technically  it  is  correct  to 
call  a  single  address  list  on  a  single  server  a  GAL, 
but  the  GAL  normally  infers  that  you  have  a  much  larger 
address  book  than  just  your  addresses. 

Q  How  many  exchange  servers  were  there  in 

Iraq  in  2010? 

A  In  2008  there  was  a  large  number.      I'm  not 

sure  in  2010. 

Q  Is  an  exchange  server  common  at  the  brigade 

level? 

A  Yes. 

Q  And  since  when  has  it  been  common  at  the 

brigade  level,   what  year? 

A  At  least  2004. 

Q  2004  or  2005? 

A  When  we  started  fielding  the  brigade,  the 

BCCS,   the  battle  command  and  control  systems.  Those 
were  fielded  to  fill  that  gap  for  the  requirement  for 
commanders  to  have  e-mail  servers  in  the  field  because 
what  they  found  was  that  commanders  were  deploying  and 
they  weren ' t  able  to  e-mail  because  the  network  — 
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originally  they  would  deploy  with  the  concept  of  we ' 11 
use  the  AKO  servers  and  try  to  use  that . 

When  we  try  to  use  Enterprise  e-mail  now  we 
come  into  issues  over  the  web.     So  instead  of  trying  to 
force  commanders  to  talk  to  their  people  that  worked  in 
their  unit  across  AKOs,   the  commanders  were  having 
their  S6s  and  G6s  stand  up  e-mail  servers.     The  Army 
saw  that ,   saw  the  need  for  it  so  that ' s  why  they 
fielded  the  BCCS  systems  for  the  brigades . 

I  believe  that  started  occurring  officially 
at  about  2004  or  2005  but  I  know  that  as  early  as  2003 
all  the  brigades  in  the  Baghdad  area  had  e-mail 
servers . 

MAJOR  FEIN:     The  United  States  offers  Chief 
Rouillard  as  an  expert  in  both  GAL  systems  and  their 
values  and  cyber  threats  to  the  Army  networks . 

THE  COURT:  Yes. 

MR.   TOOMAN:     We  would  object  to  Chief 
Rouillard  being  qualified  as  an  expert  in  valuation. 
If  we  have  the  opportunity  to  voir  dire?     I  have  no 
objection  to  Chief  Rouillard  being  called  as  a  expert 
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with  respect  to  the  GAL  generally  nor  do  we  have  an 
objection  to  him  as  an  expert  in  cyber  security. 

THE  COURT:     Let's  assume  you're  finished 
with  your  foundation,    are  you  going  to  allow  the 
defense  to  voir  dire  on  the  value  point  briefly. 
MAJOR  FEIN:     Yes,  ma'am. 

VOIR  DIRE  EXAMINATION 
BY  MR.  TOOMAN: 
Q  Chief  Rouillard? 

A  How  are  you,  sir? 

Q  Chief,   you  spoke  a  little  bit  about  a  lot 

of  the  computer  training  you  had  on  direct  and  you  also 
spoke  about,   you  know,   a  lot  of  the  certifications  you 
have . 

Have  you  received  any  intelligence  training 
like  MI  training? 

A  I  have  not . 

Q  Have  you  received  any  training  on  how  one 

would  go  about  valuing  something? 

A  I'm  not  really  sure  I  understand. 

Q  Have  you  gone  to  any  courses  where  you  were 
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instructed  on  how  you  would  go  about  assigning  value  to 
a  thing? 

A  As  an  officer? 

Q  As  an  officer,   as  a  civilian. 

A  As  an  officer  we  evaluate  the  value  of 

things  pretty  regularly  I'm  not  really  sure  —  no 
official  training  other  than  warrant  officer  training 
as  an  officer  in  the  United  States  Army.  They've 
taught  me  to  assess  the  value  of  something  and  then  we 
have  yearly  training  on  general  evaluation  of  things 
and  their  value . 

Q  What  does  that  training  involve  actually 

before  I  ask  you  that,   what  sorts  of  things  do  you 
assess  for  value? 

A  For  instance,    like  risk  assessment  type 

stuff.     We  all  Army  officers,    all  Army  personnel  go 
through  the  risk  assessment  type  methodology  on  how  to 
assess  risk  assessment. 

Q  So  you  look  at  assessing  risk.     Have  you 

had  any  instruction  on  how  to  assess  a  monetary  value 
on  something? 
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A  No,  sir. 

Q  Do  you  have  any  specialized  knowledge  in 

economics . 

A  I  do  not? 

Q  Understand.  Economics. 

A  I  do  not . 

Q  Have  you  taken  any  courses  in  economics? 

A  One  on  two  basic  college  level  courses  but 

not  —  I  think  I  took  —  it  was  a  while  ago .     So  not 
specifically  no,  sir. 

Q  So  maybe  like  introductory  level  Microsoft 

economics  and  Macro  economics? 

A  Yes .     I'd  have  to  go  back  and  look  at  my 

transcript . 

Q  Have  you  ever  —  of  course  we  need  to  keep 

all  of  this  unclassified  and  I  wouldn't  ask  you  to 
respond  in  any  way  that  would  elicit  classify 
information . 

Have  you  ever  bought  e-mail  addresses? 
A  I  have  had  not . 

Q  Have  you  ever  sold  e-mail  addresses? 
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A  I  have  not . 

Q  Have  you  ever  attempted  to  buy  an  e-mail 
address? 

A  I  have  not . 

Q  Have  you  ever  attempted  to  sell  an  e-mail 
address? 

A  I  have  not . 

Q  Have  you  ever  before  this  case  been  asked 
to  assess  the  value  of  e-mails? 

A  No. 

Q  Have  you  ever  before  this  case  been  asked 
to  determine  the  value  of  anything? 

A  No. 

Q  Monetary  value? 

A  No,  sir. 

Q  Have  you  done  any  sort  of  studies  with 

respect  to  how  various  factors  affect  the  value  of 
something? 

A  No,  sir. 

Q  So  nothing  on  supply  or  demand? 

A  No. 
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Q  Or  the  nature  of  information? 

A  No,  sir. 

Q  And  how  that  might  contribute  to  value? 

A  No. 

Q  In  your  Army  experience  have  you  ever 

assessed  anything  for  value,   looked  at  and  said  this  is 
worth  this  amount . 

A  Monetary  value? 

Q  Right . 

A  No,    sir,    other  than  like  with  our  field 

with  servers  as  they  get  nearer  to  life  cycle 
replacement  or  something  of  that  nature,   we  do  an 
estimates  value  of  that  server.     We've  had  it  for  three 
years .     It ' s  more  cost  effective  to  replace  the .  That 
type  of  depreciation  value,   but  nothing  fine  night  and 
accurate . 

Q  Okay.     And  you  were  asked  to  evaluate  the 

value  of  the  e-mails,   the  GAL  e-mails,   that  are 
implicated  in  this  case? 

A  Yes. 

Q  Without  saying  what  determination  you  came 
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to,   how  did  you  come  to  that  determination? 

A  So  open  source  intel  e-mail  address  list 

are  for  sale  on  the  Internet .     So  there ' s  actually  two 
vaults,   monetary  value  and  then  the  threat  value. 

Q  Okay . 

A  The  monetary  value,   because  I  don't  have 

prior  knowledge  and  I  know  not  in  the  business  of 
buying  or  selling  e-mail  addresses  simple  binge  or  a 
Google  search  turns  up  a  number  of  e-mail  addresses 
available  for  sale.     You  can  go  here  to  by  e-mail 
addresses  or  there.     So  you  could  do  a  comparative  cost 
to  valuation  based  on  that  since  it ' s  all  open  source . 

Q  Do  you  know  if  that  is  a  common  way  to 

value  e-mail  addresses? 

A  I  don't  know.      I  don't  sell  e-mail 

addresses . 

Q  Do  you  know  if  that  method  of  determining 

value  has  ever  been  reviewed,  peer  reviewed,  subject  to 
peer  review? 

A  I  do  not.     If  I  had  a  list  of  e-mail 

addresses  that  I  wanted  to  sell  I  would  contact  that 
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site  and  see  how  much  they  want  to  pay  for  them  which 
they  advertise  on  their  site. 

Q  When  you  visited  those  websites,    I  guess 

when  did  you  visit  those  websites? 

A  Being  asked  for  this  case .     When  I  had 

discussions  with  you  and  when  I  was  being  consulted  on 
the  value  of  the  GAL,   because  to  me  the  value  of  the 
GAL  is  much  more  because  I  protect  our  networks  the 
value  of  the  GAL  is  much  more  important  is  what 
somebody  can  do  were  that  data  be  than  just  selling  it . 

Q  I  know  you  said  that  it  was  after  this 

started,   do  you  recall  a  year  or  my  when  you  did  those, 
conduct  the  those  Google  searches . 

A  I  believe  the  first  one  I  did  was  —  I'm 

trying  to  recall  when  I  first  came  and  saw  you.  Was 
that  October /November,   that  time  frame.     I  honestly 
don't  remember.     Whenever  I  first  sat  with  you  is  the 
first  time  and  then  I've  looked  a  couple  of  time  since 
then,    and  then  as  recently  as  this  morning. 

Q  Would  you  say  within  the  past  year  was  when 

you  ever  looked  it  up? 
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A  Yes . 

Q  Did  you  contact  any  of  those  sites? 

A  No,  sir. 

Q  Do  you  know  if  those  sites  have  ever 

actually  bought  an  e-mail  address  — 
A  I  don ' t  know  for  a  fact . 

Q  Do  you  know  if  they've  actually  sold  an 

e-mail  address  to  a  person? 

A  I  don't  know  for  a  fact,   no,  sir. 

MR .   TOOMAN :     One  moment .     Your  Honor ,  we 
have  no  further  voir  dear  questions  but  if  I  may  just 
layout  or  objection. 

THE  COURT:     Go  ahead. 

MR.   TOOMAN:     We  would  object  based  on  to 
MRE702.      I  don't  believe  that  the  witness  will  testify 
based  on  sufficient  facts  nor  do  we  believe  Google 
searches  other  products  of  reliable  principals  and 
methods  of  valuation. 

Also  I  believe  those  Google  searches 
would  be  hearsay.  Anything  that  Chief  Rouillard 
would  testify  about  regarding  those  e-mail  serves 
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would  be  hearsay  so  MRE073  we  would  suggest  those 
would  be  exclude  since  they  are  unlikely  to  be 
relied  upon  by  valuation  experts  who  do  this  as 
their  business . 

THE  COURT:  Thank  you.  Major  Fein,  can  I 
ask  why  you  didn ' t  elicit  some  of  these  things  before 
setting  up  your  foundation? 

MAJOR  FEIN:     Absolutely,   ma'am.     The  reason 
some  of  this  was  not  simply  because  the  United  States 
was  offering  him  as  a  cyber  threat  expert  to  talk  about 
the  second  prong  of  what  Chief  Rouillard,  defense 
didn't  ask  about,   which  is  there's  two  different 
sources  for  him  to  evaluate  the  GAL .     The  defense 
didn ' t  elicit  the  second  source .     They  only  elicited 
the  first  source  which  is  open  source . 

THE  COURT:     Am  I  assuming  you  want  the 
second  source  and  not  the  first  source  results? 

MAJOR  FEIN:     The  second  source,  Your 
Honor  based  off  of  since  it's  mid  1990s  and  his 
experience  in  this  field  and  what  this  information 
and  how  it's  used. 
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THE  COURT:     Are  you  proposing  to  ask 
further  questions  in  laying  the  foundation? 

MAJOR  FEIN:     Yes,  ma'am. 

THE  COURT :     You  said  there ' s  two 
different  ways  to  evaluate  value.     What  are  those 
ways . 

MAJOR  FEIN:  May  I  ask  the  witness  because 
he  didn ' t  actually  answer  the  question . 

THE  COURT:     Go  ahead. 

DIRECT  EXAMINATION 
BY  MAJOR  FEIN: 
Q  Chief,   the  two  sources  that  you  would 

evaluate  the  value  of  e-mail  addresses? 

A  There ' s  the  monetary  value  that  if  you  sell 

it  on  the  open  market  or  you  sell  it  to  a  commercial 
entity  or  a  corporation  looking  to  do  the  span  mail 
type  thing,   that's  normally  not  what  the  Army  focuses 
on . 

Much  more  dangerous  to  us,  has  the  Army  or 
as  the  government,  is  the  ability  to  use  those  e-mails 
to  targets  individuals  in  the  military  with  those 
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e-mails .     So  using  this  specific  —  can  I  use  this 
specific  address  list  as  an  example,   the  2nd  Brigade 
10th  Mountain? 

Q  Yes,   not  using  laptops. 

A  That  address  list,    for  example,   is  a  group 

of  military  members  who  work  on  Fort  Drum  who  are  on 
the  deployment.      So  if  I  was  an  adversary  of  U.S.  Army 
and  I  wanted  to  target  a  group  of  individuals  and  I  had 
those  e-mail  addresses  I  could,   for  instance,  pretend 
to  be  —  I  could  craft  what  we  call  a  spear  fishing 
e-mail  which  is  a  targeted  fishing  e-mail . 

So  you  have  fishing  and  then  you  have  spear 
fishing.     So  the  fishing  e-mail  is   just  a  blanket  send 
out  a  bunch  of  e-mails,    I  hope  somebody  clips  a  link  or 
a  responds  back  a  spear  fishing  e-mail  is  much  more 
targeted  and  has  a  higher  probability  of  the  user 
interaction  or  user  response  or  user  click. 

So  if  I  craft,    for  instance,    a  2nd  brigade 
10th  mountain  using  this  GAL  list  and  the  e-mail  says 
I'm  from  PAO  on  Fort  Drum  and  I'm  looking  to  award  five 
trips  to  Disneyland  and  20  one  hundred  dollar  gift 
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certificates,   fill  out  the  enclosed  PDF  and  send  it 
back  to  me . 

Many  soldiers  that  are  inexperienced  click 
that  link,  open  the  PDF,  and  fill  out  the  PDF  and  send 
it  in . 

Q  Is  that  typically,   are  those  spear  fishing 

endeavors  typically  done  for  profit? 

A  They  can.     And,   again,   the  profit  part 

isn't  necessarily  what  Army  network  defenders  focus  on? 
THE  COURT:  Yes. 

MR.   TOOMAN:     We  would  object  based  on  under 
602  personal  knowledge  of  spear  fishing. 

THE  COURT:     How  do  you  know  about  all  of 

this? 

THE  WITNESS:     Through  my  information 
protection  technician  training. 

THE  COURT:  Overruled. 

THE  WITNESS:     Actually,   to  further  answer 
that  we ' re  trained  specifically  on  using  spear  fishing 
campaigns.     So  part  of  the  cyber  op  4  mission  as  we  go 
to  attack  or  simulate  the  enemy  at  the  CTCs  we  use 
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spear  fishing  campaigns  against  the  brigades  that  are 
in  the  JRTC  to  try  to  get  them  to  come  to  our  website 
and  click  our  links  and  install  our  mallware . 

So  the  enemy  uses  a  similar  tactical . 
So  that  pretending  to  be  the  PAO  he  could  target  a 
very  —  he  cold  send  out  this  e-mail  campaign 
against  a  very  targeted  group  of  individuals  who 
we've  seen  even  today  still  click  the  links  even 
though  whenever  yearly  training  and  the  user 
agreement  they  signed  every  year  and  all  of  the 
other  training  we  give  them,   users  still  click  link, 
and  that ' s  why  we  use  this  is  to  highlight  when  you 
click  these  links  this  is  what  happens  because 
ultimately  until  commanders  see  the  affect  on  it ' s 
cyber  stuff  they  don't  want  to  mess  with  it. 

If  they  see  the  affect  of  my  Gl  or  SI 
lieutenant  click  the  link  as  part  of  the  spear 
fishing,   her  box  was  promised  compromised  and  now 
somebody  stole  the  alert  roster  with  names  and 
social  security  numbers . 

BY  MAJOR  FEIN: 
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Q  What  experience  other  than  the  way  you ' ve 

explained  quickly  for  the  Court,   do  you  have  with  spear 
fishing? 

A  So  training.      I  was  trained  during  the  255 

sierra  course  and  then  also  one  of  our  methods  that  we 
use  now  with  our  cyber  op  4 . 

Q  And  again  what  is  the  ultimate  goal  of 

spear  fishing? 

A  To  elicit  a  response  out  of  who  I  send  it 

to.     So  it  could  either  be  financial  or  it  could  be 
compromise  of  that  system. 

Q  What  do  you  mean  by  compromise  of  the 

system? 

A  If  I  can  convince  a  user  or  if  someone  with 

malicious  intent  can  convince  a  user  to  click  a  link 
and  visit  my  website  that  I  control,    I  can  then  install 
a  program  on  their  machine  because  the  user  clicked  the 
link,    it  will  grab  the  file  installs  on  it  their 
computer  and  then  opens  a  connection  back  up  to  my 
machine . 

When  it  does  that  with  my  machine  listening 
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I  can  then  connect  back  to  their  machine  with  their 
user  credentials  because  they  clicked  the  link  it  give 
me  access  into  their  box  as  if  I  was  them. 

Q  And  then  you  mentioned  financial .     What  do 

you  mean  by  that? 

A  So  I  could  be  just  trying  to  rip  you  off, 

so  to  speak,   fill  out  this  link  and  send  me  $25  to 
enter  the  raffle  for  the  PAO  five  Disney  vacation  give 
aways  or  something  like  that  of  that  nature . 

Q  And  in  your  experience  in  the  last  more 

than  ten  years  of  dealing  with  Microsoft ' s  exchange 
e-mails  and  cyber  threats,   have  you  seen  those  types  of 
spear  fishing  e-mails  for  financial  gain? 

A  Absolutely,   on  our  systems,   yes.  I 

couldn't  give  you  specific  examples,   but  we  have  gone 
through  and  the  mail  systems  that  the  Army,  the 
exchange  mail  systems  usually  we  sit  those  behind 
what's  called  a  SMTP  gateway. 

We ' 11  have  a  server  in  front  that ' s 
filtering  a  lot  of  the  spam  stuff.      It's   just  another 
configured  mail  server  type  of  clients  that  gets  the 
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mail  before  it  goes  to  the  mail  server.     That  will  stop 
a  lot  of  the  generic,   hi,    I'm  your  uncle  from 
Yugoslavia,    send  me  $200  now  for  $500,000  later. 

That ' s  why  Army  systems  don ' t  get  that 
because  we  have  very  good  spam  filtering  systems  in 
place  on  the  garrison  network . 

Target  or  spear  fishing  is  much  harder 
because  now  you  have  a  —  first  you  have  a  much  lower 
list  that  you  send  out,   but  second  it's  targeted  so 
you're  saying  to  a  clear  define  list  that's  again 
military  personnel,    2nd  brigade  10th  mountain  from  Fort 
Drum.     So  it  bypasses  a  lot  of  security  that's  not 
normally  set  to  filter  that .      It ' s  not  normally  in  the 
subscription  process  that  the  spam  filter  will  stop 
that . 

Q  And  approximately  how  many  years  of 

experience  do  you  have  with  these  types  of  spear 
fishing  e-mails  that  elicit  money  or  ask  for  money? 

A  Spear  fishing  has  been  around  since  e-mail 

I  believe.     So  at  least  since  1995. 

Q  How  often  since  1995  have  you  had  this 
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firsthand  knowledge  experience  with  these  types  of 
e-mails? 

A  In  my  personal  mailbox  or  — 

Q  In  your  official  capacity  — 

A  As  far  as  protecting  against  them,  since 

first  Iraq  deployment  with  1st  cav,    about  2003  or  2004, 
and  I  became  responsible  for  the  mail  receivers  at  1st 
cav.     That's  where  we  focused  on  protecting  our  users 
from  spam  mail;   but,   again,   the  more  serious  threat  for 
Army  guys  was  people  clicking  the  link  or  downloading 
the  mallware  or  someone  who  was  not  pleased  with  the 
United  States  trying  to  exploit  our  military  systems . 

Q  Mentioned  spear  fishers  and  those,  could 

you  —  what  are  the  other  groups  of  people  or 
individual  groups  that  would  use  e-mails  from  the 
United  States  government? 

A  So  part  of  our  255  sierra  training  we  kind 

of  evaluate  the  different  what  I  call  buckets  of 
threat,   and  you'll  have  everybody  from  —  starts  out  at 
the  lowest  level,   and  we  use  this  for  our  training 
model  basically.     So  as  we  do  our  op  4  mission  this 
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mirrors  very  closely. 

You'll  have  the  low  skilled  guys  or  just 
generally  displeased  with  the  government,   they  might 
have  a  blog  page  or  something  and  say  we  don ' t  like  the 
U.S.     So  if  they  had  list  they  might  try  to  low  key 
general  spanware  to  the  whole  list .     You  might  have 
more  elite  hackers  groups  like  anonymous  potentially 
could  use  it  and  then  all  the  way  up  to  nation  state 
actors  that  would  wish  us  harm. 

Q  What  do  you  mean  by  nation  state  actors? 

A  So  any  other  country  that ' s  attempting  to 

compromise  military  networks  to  —  I'm  trying  to  stay 
in  bounds,   but  military  —  different  countries  that  are 
trying  to  compromise  military  networks  to  steal  our 
intellectual  property. 

So  as  an  example  if  I  was  in  a  country  that 
didn't  like  the  United  States  and  I  could  get  a 
contractor  that  worked  on  a  government  project  to  click 
on  a  link  that  would  give  my  access  to  his  box  I  could 
have  complete  access  to  that  contract  project  that  he 
was  working  on.      So  it's  not   just  military,   but  also 
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everybody  that  supports  us . 

Q  What  about  corporations  or  other  corporate 

actors  trying  to  obtain  lists? 

A  The  corporate  actors  would  probably  fall 

into  more  of  the  financial  gain.     My  experience,  I 
haven ' t  seen  Microsoft  trying  to  take  over  Army 
systems,   but  if  they  were  looking  to  sell  X-boxes  to 
soldiers  coming  back  or  Ranger  Joe . 

If  Ranger  Joe  common  military  website  that 
sells  military  type  gear.     If  you  wanted  a  targeted 
audience,   if  he  had  this  global  address  list  of  you 
know  majorities  Army  guys  then  he  has  a  much  better 
chance  of  getting  somebody  to  go  to  his  website,    so  to 
speak . 

MAJOR  FEIN:       Your  Honor,   United  States 
renews  it ' s  move  to  the  Court  to  qualify  Chief 
Rouillard  as  an  expert  in  evaluating  e-mails  —  really 
the  global  address  list,   Your  Honor,   not  the  e-mail. 

THE  COURT:     That's  different  than  what  you 
originally  asked  for,   you  said  value? 

MAJOR  FEIN:     Yes,   ma'am,   the  value  of  the 
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global  address  list . 

THE  COURT:      128    (INAUDIBLE)    is  anything 
other  than  money? 

MAJOR  FEIN:     No,   ma'am,    it's  the  different 
markets  on  how  the  money  and  how  that  valuation  is  done 
through  the  buyers  market,   thief  market,    and  United 
States  would  argue  that  Chief  Rouillard  is  at  least  the 
defense  argues  that  he  has  assumption  on  buyers  market 
based  off  of  known  ways  because  he  went  on  Google  and 
looked,   but  differently  in  a  thieves  market  as  far  as 
his  experience  with  over  more  than  ten  years  of  getting 
e-mails  saying  click  here  how  much  they ' re  paying  and 
where  the  sources  of  those  e-mails  come  from,  that 
would  be  the  authority,   Your  Honor,   or  at  least 
(INAUDIBLE) 

So  it ' s  not  —  United  States  is  not 
arguing  that  value  is  measured  in  dollar  amounts . 
We  agree  with  that .     It ' s  how  it  could  be  measured 
to  determine  that  dollar  amount  and  United  States 
offers  that  Chief  Rouillard' s  opinion  on  that  is 
expert  opinion  based  on  his  qualifications  and 
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experience  could  aid  the  Court  in  understanding  its 
monetary  value . 

THE  COURT :     Here ' s  what  I ' m  going  to  do . 
You  have  the  witness  on  the  stand,    I'm  going  let  you  go 
ahead  an  finish  your  questioning.      I  want  the 
government  to  provide  me  with  authorities  for  how  value 
is  measured.     Defense  you've  already  given  me 
something,   but  you  can  supplement  me  with  something 
you've  given  me  in  thieves  market  and  I  will  decide 
based  on  those  admissions  whether  I  accept  those  or 
not . 

MR.   TOOMAN:     The  defense  would  request 

first  to  — 

THE  COURT:     You  can  do  it  on  cross 

examination . 

MR .  TOOMAN :  Okay . 
MR .   TOOMAN :     Okay . 

MAJOR  FEIN:     Ma'am,    for  purposes  of  a 
pending  objection  United  States  move  into  the  opinion 
testimony  because  the  United  States  intends  to  elicit 
factual  testimony  after  that . 
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THE  COURT :     You ' re  eliciting  the  opinion 
and  your  going  to  move  on  to  something  else? 

MAJOR  FEIN:      I'll  notify  the  Court  exactly 
when  I ' m  moving  on . 

THE  COURT:  Okay. 

BY  MAJOR  FEIN: 
Q  Chief  Rouillard,   based  off  of  your 

experiences  with  spear  fishing,   how  much  does  a  foreign 
adversary,   how  much  would  they  pay  for  blocks  of 
e-mails  you  discussed  earlier  like  210  Mountain? 

MR.   TOOMAN:     We'll  object  based  on  hearsay 

and  7503. 

THE  COURT :      I ' ve  already  said  I ' m  going 
listen  to  the  them  and  decide  afterwards .     You  can  put 
down  in  the  brief  that  you'll  be  filing. 

THE  WITNESS:     Repeat  the  question.  I'm 

sorry . 

BY  MAJOR  FEIN: 
Q  Based  on  your  experience  with  spear 

fishing,   what  is  your  opinion  on  how  much  a  foreign 
adversary  would  pay  for  a  blocks  of  e-mails  like  the 
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210  Mountain  e-mail  block  you  explained  earlier? 

A  So  honestly  monetary  value  is  hard  for  me 

to  assess.     However,   it's  one  of  the  top  three  to  five 
documents  that  I  would  seek  from  an  adversary. 

So  a  lot  of  —  one  of  the  first  things  we 
do  in  the  —  as  your  trained  in  the  cyber  attack 
methodology,   one  of  the  first  things  do  you  is  gather 
Intel  or  open  source  Intel  and  as  you  do  that  you  might 
visit  their  websites  and  gather  the  e-mail  addresses 
that  they  have  on  their  websites  or  information  they 
have . 

So,    for  instance,   if  I  was  interested  in 
Army  cyber  I  would  go  to  Armycyber . usinternetmail  and  I 
would  look  at  who  is  the  commander,   what  his  bio  reads, 
and  that ' s  why  all  of  those  public  facing  documents  go 
through  a  very  stringent  examination  by  PO  to  make  sure 
none  of  that  information  being  released  to  the  public 
is  detrimental  or  dangerous . 

With  a  list  of  addresses  that  are  specific 
to  that  unit  especially  with  reference  to  this  GAL 
list,    in  2010  the  other  threat  was  the  first  part  of 
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that  e-mail  address  was  their  user  account . 

So  not  only  is  it  their  e-mail  account,  but 
because  we  were  not  doing  the  smart  card  log  in 
(INAUDIBLE)    it  was  also  their  user  login.     And  so  all  I 
have  to  have  was  their  password  to  login  as  that  user. 

For  value  it ' s  when  I  train  my  cyber  op  4 
guys  I  tell  then  this  is  one  of  the  top  things  you 
want .     Also  one  of  the  first  things  we  look  for  because 
that ' s  our  normal  attack  methodology  is  you  send  out 
some  type  of  spear  fishing  e-mail  to  get  the  user  to 
click  on  that  link  to  either  visit  or  website  or 
install  or  mallware . 

MAJOR  FEIN:       Your  Honor,   may  I  have  a 

moment  ? 

THE  COURT:  Yes. 

MAJOR  FEIN:     To  make  easier,   the  United 
States  withdraws  qualifying  Chief  Rouillard  as  an 
expert  in  the  GAL  evaluation.     The  United  States  will 
not  ask  any  further  opinions  of  Chief  Rouillard  on  that 
topic? 

THE  COURT:     You  want  me  to  disregard  what 
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we've  just  heard? 

MAJOR  FEIN:     Yes,   ma'am.     The  United  States 
is  going  to  elicit  similar  testimony,    just  fact 
basis  —  frankly,   Your  Honor,   the  witness  did  not  give 
the  actual  value.     So,   yes,   the  Court  will  disregard 
that . 

THE  COURT:     You  want  the  Court  to  the 
disregard  everything  following  Captain  Tooman ' s 
questioning  (INAUDIBLE)? 

MAJOR  FEIN:     Yes,  ma'am. 

THE  COURT:      It's  done. 

MAJOR  FEIN:     Your  Honor,    court  reporter 
Prosecution  Exhibit  147  Bravo  and  148  Bravo. 
BY  MAJOR  FEIN: 
Q  Chief  Rouillard,    I ' d  like  to  go  back  to  the 

GAL  itself. 

A  Yes . 

Q  The  creation  and  maintenance .     Earlier  you 

testified  about  —  you  testified  about  the  number  of 
soldiers  in  and  hours  that  soldiers  spend  on  the 
creation.     What  is  a  typical  range  of  that  soldier  who 
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creates  entries  into  the  GAL? 

A  For  us  normally  it  was  a  specialist  up  to 

junior  NCO  at  the  help  desk. 

Q  And  that  was  at  the  division? 

A  That  was  at  the  division,   brigade  very 

similar.     They  just  had  less  people,   and  for  the 
creation  of  important  accounts  like  I  didn't  want  my 
general's  account  screwed  up  so  would  I  see  it,   but  in 
general  the  help  desk  managed  it  just  fine . 

MAJOR  FEIN:       Your  Honor,   permission  to 
publish  Prosecution  Exhibit  147  Bravo? 
THE  COURT:  Okay. 
BY  MAJOR  FEIN: 

Q  Chief  Rouillard,    do  you  recognize  this? 

A  Yes,  sir. 

Q  What  is  it? 

A  This  is  the  portion  of  the  GAL  that  was  on 

the  disk  that  I  looked  at  earlier.     This  is  the  user 
name  —  these  are  the  standard  type  text  we  would  have 
on  the  end  of  the  GAL.     So  as  you  were  searching 
through  if  you  didn ' t  necessarily  know  the  name  you 
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would  have  other  information . 

So,    for  instance,    from  the  first  line  you 
can  tell  that  John  worked,   he  was  a  master  sergeant  and 
he  worked  at  MFI . 

Q  Okay . 

MAJOR  FEIN:       Your  Honor,   permission  to 
publish  148  Bravo? 

THE  COURT:     Go  ahead. 
BY  MAJOR  FEIN: 
Q  Chief  Rouillard,    do  you  recognize  this 

document  ? 

A  Yes,  sir. 

Q  What  is  this? 

A  This  is  another  portion  of  that  GAL 

extract .     This  is  actually  —  it  appears  to  be  have 
been  extracted  from  the  exchange  server  itself  because 
of  the  first  part  where  it  says  first  administrative 
group  recipients .     That ' s  similar  to  active  directory 
because  active  directory  and  exchange  kind  of  installed 
together . 

The  primary  important  part  here  is  the  last 
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part  of  that.     For  instance,    John . Iraqcentcommill .  So 
John.black@iraqcentcommil  would  have  been  his  e-mail 
address . 

Q  When  forces  rotated  out  of  Iraq,  what 

happened  at  this  point  to  their  GAL  entry? 

A  Probably  30  days  prior  would  he  would  start 

coordination  —  the  short  answer  is  that  their 
addresses  would  come  out  of  the  GAL  relatively  quickly 
because  we  didn't  want  expired  e-mail  addresses  out 
there  or  duplicates .     So  as  these  guys  were  rotating 
out  within  a  couple  of  weeks  the  higher  ups  —  so  if  it 
was  a  division  or  MF  or  USFI  would  delete  their  portion 
out  of  their  exchange  server  so  it  wasn ' t  replicated 
around . 

Q  And  from  a  cyber  threat  perspective  what 

potential  threats  are  there  with  this  information  being 
released? 

A  So  just  this  information,    if  this  is  active 

right  now  I  can  tell  user  names,   then  I   just  need  the 
password.     I  can  also  tell  what  server  they're  on.  So 
that  there  is  the  server  that  they're  on.     So  Iraq 
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CENTCOM  mill  because  it ' s  connected  to  the  unclassified 
network  on  the  NIPRnet,    I  can  get  to  that  server  from 
anywhere .      I  can  get  to  that  from  anywhere  in  the  world 
because  that's  how  we  designed  them. 

I  can  target  let  me  dot  black  on  that 
server,   but  this  also  tells  me  the  different  servers 
that  they 're  on .     So  you  can  look  down  towards  the 
bottom  where  that  you  have  NMDB .     That ' s  a  user  off  of 
a  different  server,   and  you  can  then  use  like  a  basic 
script  and  break  all  of  these  portions  up  into 
different  groups  of  people.     So  now  I  know  which  server 
they  exist  on. 

Q  If  someone  has  rotated  out  of  theater  after 

this  left  possession  of  the  government  and  how  else 
could  it  be  used  to  further  foreign  adversaries  and 
spear  fishers  endeavors? 

A  Because  our  standard  operating  procedure 

for  all  of  our  signal  guys  we  teach  to  use  your  AKO 
e-mail  address .     The  first  portion  pulls  an  address 
deconf liction    (INAUDIBLE)    I  could  take  tracy. black  or 
zachary .black  and  just  do  at  usarmy.mil  and  that's 
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their  AKO  e-mail  address  or  their  mail. mill  address  and 
I  can  still  use  a  similar  spear  fishing  campaign  to 
target  you . 

So  if  I  knew  you  were  in  10th  Mountain  or 
NMDB  at  the  time  we ' re  looking  for  all  personal  that 
were  assigned  to  MNDB  between  2009  and  2011,  please, 
reply  by  filling  out  there  for  your  unit's,  your 
meritorious  unit  accommodation,    fill  out  this  the  basic 
information  and  so  that  would  be  another  example  of  a 
spear  fishing  technique  because  it ' s  relatively  easy  to 
craft,    falsify  the  source,    say  it's  coming  from  Army 
PAO  or  something.     That's  a  relatively  easy  technique. 

I  connect  to  a  mail  server .     I  can  stand  up 
a  mail  server,   create  whoever  I  want  to  send  this  out 
with  small  PDF  or  a  mutual  website  please  connect  to 
this  website,   put  your  information  to  ensure  you  get 
this  certificate  of  participation  in  the  Iraqi 
campaign . 

Q  So  can  you  explain  though  this  is  showing 

you  used  the  example,   and,   for  the  record,  Chief 
Rouillard  under lightened  the  second  line  from  the  top 
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underlined  CENTCOM.mil  in  the  third  line  from  the  top. 

Could  you  please  explain  using  the  same  one 
how  one  uses  dot  blackbox  and  Iraqicentcom.mil  to  do 
that  after  someone  has  rotated  out  of  theater? 

MR.   TOOMAN:     Okay,   based  on  relevance. 
This  line  of  questioning  will  be  in  more  on  line  with  7 
(INAUDIBLE)    defense  would  not    (INAUDIBLE)   what's  not 
relevance  for  this . 

MAJOR  FEIN:       Your  Honor,   the  United  States 
is  offering  this  as  relevance  is  to  value  as  a  fact 
witness .     This  goes  directly  to  what  could  potentially 
happen  and  the  United  States  intends  to  call  Mr.  Louis 
who  is  going  to  talk  about  foreign  adversaries  and  what 
they  do  with  our  contact  information  and  e-mails . 

MR.   TOOMAN:     We  would  object  based  on  701. 
If  we're  talking  about  value,   this  type  of  value  would 
require  specialized  knowledge  under  701  is  not  an 
expert  and  this  — 

THE  COURT:     Overruled.     Go  ahead. 

BY  MAJOR  FEIN: 
Q  So  to  re-ask  the  question.     You  testified 
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that  lena . blackbox,    last  name  at  iraqcentcom.mil, 
that's  the  e-mail  that's  listed  in  this  GAL.     How  does 
that  e-mail,   how  can  that  e-mail  then  used  by  foreign 
adversaries  or  spear  fishers  because  that ' s  the  Iraq 
e-mail  when  they  rotate  out  that  e-mail  no  longer 
exists? 

A  But  the  first  half  of  that  e-mail  we've 

discussed  is  the  same  for  your  U.S.   Army  e-mail 
address .     So  I  could  even  do  it  in  a  script .     I  could 
take  this  entire  — 

Q  What  do  you  mean  by  script? 

A  A  simple  text  file .     So  scripting  language 

is  a  way  to  automate  tasks,   and  like,   for  instance,  a 
python  is  one  of  the  languages  you  can  use  to  script . 
I  can  take  an  input  file,    I  can  extract  certain  fields. 
So  I  could  say  extract  everything  after  slash  CM 
equals.      It  extracts  that  address,    strip  off  the  Iraq 
CENTCOM  mil  and  paste  in  at  U.S.  Army  mill  and  you  can 
actually  automate  this,   but  you  can  just  as  easily  go 
in  and  hand  craft  it  and  change  any  of  these  e-mails 
addressed  to  at  usarmy.mil  and  have  a  high  likelihood 
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of  having  their  e-mail  address  if  they're  active  now, 
if  they're  in  the  active  duty  now. 

Q  And  why  would  foreign  adversaries  want  the 

GAL? 

A  To  target  military  personnel  to  get  them  to 

click  the  links . 

Q  And  you  mentioned  earlier  social 

engineering.     How  would  social  engineering  (INAUDIBLE)? 

A  So  first  I  find  an  audience  that  I  want  to 

target  an  adversary,    and  for  this  instance  I'm  using 
Army.     These  are  all  Army  people  or  Army  affiliated 
personnel . 

So  I  send  an  e-mail  with  a  web  link  or  a 
PDF  or  something  similar  to  that  e-mail  address . 
THE  COURT:  Yes. 

MR.   TOOMAN:     Your  Honor,    I  think  it  goes 
beyond  the  scope  of  laying  a  factual  foundation.  I 
would  object  to  701. 

THE  COURT:  Overruled. 

Go  ahead . 

THE  WITNESS:      So  the  user  would  then 
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receive  the  e-mail  in  their  box.     It  could  appear  to 
come  from  anybody  you'd  want  it  to  come  from.     They  see 
this  e-mail  comes  in.     It  could  be,    for  instance,  we're 
evaluating  —  I  saw  on  the  early  times  we ' re  evaluating 
to  go  to  a  new  single  will  ACU  pattern.      So  it  would  be 
this  at  this  the  site  for  selection  of  five  ACU 
patterns  and  we ' re  just  doing  a  public  survey  to  see 
which  one  you  would  like,    and  it  would  come  from  a  PAO 
or  a  civilian  company . 

So  many  soldiers  would  then  click  that 
link  taking  them  to  a  website  which  might  actually 
have  five  different  patterns  of  ACU  to  select  and 
then  they  click  on  one,   it  says  thank  you,  insert 
name  here,   give  some  type  of  actual  account  back, 
but  it ' s  also  collecting  information  on  the  machine 
that  they 're  on .     It  would  attempt  to  download 
malicious  codes  into  their  box.      It  could  a  number 
of  things  because  I've  tricked  you  to  go  into  a  site 
which  you  would  not  normally  visit  which  is  why  we 
invest  so  much  in  the  yearly  mandatory  training  for 
this  type  of  attack. 
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Q  Are  you  familiar  with  the  program  WGet? 

A  Yes. 

Q  How  is  WGet  used  when  it  comes  to  social 

engineering  attacks? 

MR.   TOOMAN:     Relevance.     This  man  is  not 
charged  with  using  WGet  for  social  media  attacks . 

THE  COURT:     What's  the  relevance? 

MAJOR  FEIN:       Your  Honor,   the  relevance  i 
Chief  Rouillard  has  specialized  knowledge  about  WGet . 
This  is  laying  the  foundation  to  ask  subsequent 
questions  to  how  he  knows  WGet  and  is  to  questions 
about  WGet . 

THE  COURT:     What  does  the  malicious 
spyware  have  to  do  with  any  of  this? 

MAJOR  FEIN:      I'm  sorry? 

THE  COURT:     What  was  your  last  question? 

MAJOR  FEIN:     Ma'am,    I  can  rephrase  the 
question,    if  that's  the  issue? 

THE  COURT:     Just  move  beyond  that.      If  he 
going  talk  about  programs  itself  that  is  relevant . 

MR .   TOOMAN :     We ' ve  heard  a  lot  about  WGet 
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THE  COURT:  Overruled. 
BY  MAJOR  FEIN: 
Q  Chief,   on  a  break,    first,    I'm  going  remove 

from  and  return  —  remove  from  the  projector  and  return 
give  to  the  court  reporter  148  Bravo  and  Prosecution 
Exhibit  147  Bravo. 

Are  you  familiar  with  WGet? 
A  Yes. 
Q  What  is  WGet? 

A  WGet  is  an  application  or  a  program.  WGet 

is  a  program  that  will  download  a  static  copy  of  web 
content  such  as  a  website  or  a  SharePoint  site  and  will 
download  how  much  of  it  you  tell  to  download. 

If  I  say  execute  WGet  against  PAO. 
(INAUDIBLE)    it  will  download  the  static  copy  of  the 
entire  public  facing  website  to  my  computer. 

Q  And  can  you  please  explain  for  the  Court, 

again,   very  briefly,   how  have  you  used  WGet  in  a 
Windows  environment  or  just  WGet  in  general  in  your  job 
as  a  cyber  threat  analyst? 

A  So  for  us  we  use  WGet  —  so  there ' s  two 
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versions .     There ' s  a  Windows  version  and  a  Lennox 
version .     The  Windows  version  is  not  installed  by 
default.     You  have  to  put  it  on  there,   but  once  — 
other  than  that,   the  functionality  is  the  same,  but 
because  our  guys  are  comfortable  with  Microsoft  Window 
we  tend  to  install  and  use  that ;   but  when  you  run  WGet 
and  download  the  page  that  let ' s  you  grab  the  entire 
page,   one  of  the  reasons  we  use  it  is  when  we're  doing 
the  open  source  Intel  gathering  on  a  site,    I  can 
download  the  web  page  and  I  can  take  that  web  page  and 
feed  it  into  a  script  again  that  will  break  the  web 
page  up  into  a  bunch  of  words  or  a  dictionary  file . 

I  then  use  that  is  dictionary  file  against 
user  names  that  I  have  in  an  attempt  to  use  those  words 
as  passwords .     So  something  that  was  pertinent  to  that 
unit,    for  instance,    if  their  motto  was  Black  Jack  then 
the  commander  might  have  his  password  as  black jack6! 

So  my  program  will  take  words  that  are 
relevant  to  them,   do  what  we  call  a  little  of  maining 
changes  Es  to  3s  and  such  and  then  run  that  dictionary 
file  against  user  accounts  in  and  attempt  to  guess  a 
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password. 

Q  And  this  is  in  your  op  4  capacity? 

A  Yes,   this  is  all  as  a  attack  methodology. 

Q  And  with  that  do  you  have  authorization  to 

use  WGet  on  your  computer  or  do  you  have  to  install  it? 

A  We  do .     You  have  to  be  —  it ' s  not  part  of 

the  normal  Army  load.     So  it's  not  an  authorized  tool 
that  the  Army  users  encounter.      It's  only  for,   as  far 
as  the  Army  is  concerned,   the  only  people  that  I'm 
aware  of  that  use  it  are  pen  testers  and  op  4 . 

Q  And  when  WGet  runs  in  the  Window 

environment  on  the  screen,   what  does  it  look  like? 

A  S  it ' s  a  command  driven  tool .     So  it ' s  a 

command  line  tool .      It ' s  not  a  normal  Window  thing  that 
we're  used  to.     It's  a  black  box  on  the  screen,  which 
is  you're  command  window.      It  will  look  like  a  bunch  of 
typed  commands . 

So  if  you  squinted  down  or  read  through  the 
commands  you  would  see  that  it  would  say  WGet  something 
but  otherwise  it   just  looks  like  a  command  prompt 
screen  with  text . 
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Q  When  you  said  squint  down? 

A  By  default  when  you  open  up  a  command 

prompt  the  text  is  relatively  small.     So  five,   six  feet 
away  I  can ' t  read  it .     Like  I  couldn ' t  read  the  one  on 
his  computer  if  I  was  standing  here. 

Q  When  WGet  is  running,    does  it  have  across 

the  top  of  it  in  big  letters  WGet? 

A  No,    sir.     It  has  a  —  it  has  the  page  it's 

downloading  and  then  some  status  messages,   but  there's 
not  a  big  announcement  that  WGet  is  running. 

Q  And  can  WGet  be  run  in  the  background? 

A  It  can . 

Q  What  does  that  mean? 

A  Windows  gave  us  the  capability  to  the  run 

multiple  things  at  once .      So  on  the  top  of  all  windows 
there's  a  little  icon  that  looks  like  a  bar.     If  you 
click  that  it's  called  minimizing  it  and  moves  it  down. 
You  can  just  as  easily  drag  the  Internet  Explorer. 
That ' s  why  you  can  browse  your  mail  and  check  the  web 
at  the  same  time . 

Q  Are  you  familiar  with  mIRC  Chat? 
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A  Yes . 

Q  How  are  you  familiar  with  mIRC  Chat? 

A  So  — 

Q  In  your  official  capacity? 

A  In  my  official  capacity  we  use  mIRC  Chat  in 

2003/2004  and  in  2007/2008,   on  both  deployments  we  used 
mIRC  Chat  with  my  AFA  or  the  artillery  guys  to 
coordinate  with  other  units  for  their  artillery  field 
of  fire . 

Q  When  you  say  we,   who  is  we? 

A  The  1st  cav,  sorry. 

Q  The  division  headquarters? 

A  Yes,    sir.     So  they  coordinated  with  the  Air 

Force  because  it  was  tool  the  Air  Force  was  using  and 
that ' s  what  they  chose  because  it ' s  a  —  it ' s  also  a 
tool  that  is  used  just  for  text  chatting,   but  with  Army 
systems  in  theater,   the  only  simple  I  saw  was  AFA  test. 

Q  And  what  did  it  —  when  mIRC  Chat  runs, 

what  does  the  screen  look  like? 

A  The  application  has  a  distinct  look .  It 

will  say  mIRC  Chat .      It  will  have  users  and  channels  on 
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one  side .     It  will  have  a  text  field  in  the  middle  with 
the  chats  scrolling  up  and  down  and  you  can  kind  of 
tell  chats  going  on. 

Q  And  you  mentioned  if  you  were  sitting  there 

looking  at  the  court  reporter ' s  computer  you  couldn ' t 
see  WGet .     Could  you  see  mIRC  Chat  running? 

A  Right,    I  could  see  mIRC  Chat  running.  I 

would  probably  have  to  look  a  little  closer  to  see  if 
it  was  mIRC  Chat  because  it ' s  a  Window  application  and 
it  has  a  —  if  you  had  seen  mIRC  Chat  before  you  would 
know  what  it  looked  like.  If  you  had  never  seen  it  you 
would  know  just  from  a  glance  it  was  mIRC  Chat,  but  if 
you  have  seen  mIRC  Chat  before  you  would  know  that  was 
mIRC  Chat? 

MAJOR  FEIN:     Ma'am,   may  I  have  a  moment? 
THE  COURT:  Yes. 

MAJOR  FEIN:       Your  Honor,   the  United  States 
has  no  further  questions . 

THE  COURT:     Just  for  the  record,  this 
witness  was  accepted  as  an  expert  in  the  GAL  and  cyber 
security.     So  the  Court  allowed  the  testimony  that  was 
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objected  to  on  the  fact  basis. 

Cross  examination? 

CAPTAIN  TOOMAN:     Defense  requests  a 
ten— minute  comfort  break . 

(Hearing  recessed  at  5:00  p.m.) 

(Hearing  resumed  at  5:10  p.m.) 

(Testimony  started  before  we  had  sound.) 
CROSS  EXAMINATION 

THE  WITNESS:     Unplug  the  machine  from  the 
network  and  log  in  locally  with  a  local  user  account 
and  still  access  many  of  the  same  files  and  everything 
else . 

BY  MR.  TOOMAN: 
Q  So  I  may  able  to  do  that ,   but  I  couldn ' t 

print? 

A  You  could,   without  being  part  of  it,  if 

you're  still  plugged  into  the  network. 

Q  Right ,    I'm  plugged  into  the  network . 

A  I'm  plugged  into  the  network,   but  I  log  in 

locally.     So  I'm  not  part  of  the  domain,    just  looking 
in  a  local  user  account .     I  could  still  print .     I  could 
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still  visit  websites .      I  could  still  run  programs  on  my 
machine .     I  may  not  be  able  to  do  domain  specific 
services  such  as  access  restricted  areas  of  SharePoint 
or  access  e-mail  if  I'm  on  a  machine  that's  not  part  of 
the  domain  or  if  I'm  logged  in  locally  and  I  try  to 
open  up  my  e-mail  I ' m  going  to  get  a  prompt  for  what  we 
call  domain  credentials .      It ' s  then  going  to  ask  for  a 
domain  user,   domain  password  which  if  I  don't  have  I'm 
not  going  to  get  into  the  e-mail . 

Q  You ' d  need  active  directory  to  get  anything 

into  that  domain  that  would  be  shared  drives? 

A  Potentially  depending  on  how  the  share 

drive  is  configured.      So  if  the  share  drive  was 
configured  with  a  password,   then  all  you  need  is  a 
password  to  connect . 

Q  That  typically  — 

A  Sometimes .      It  really  depends  on  how  the 

individual  user  if  you ' re  at  home  on  our  home  machine 
you  open  up  file  explorer,    right  click  share  your 
movies  drive,    for  instance,   now  the  rest  of  your  family 
can  get  your  movies  drive  without  having  active 
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directory  running  in  your  house . 

Q  That ' s  not  how  the  Army  — 

A  That ' s  not  — 

Q  We    (INAUDIBLE)   use  share  folder? 

A  That  is  not  our  standard  normal  implication 

because  it  still  occurs  on  Army  networks . 

Q  The  shared  drives  that  we ' re  used  to  as 

users  are  connected  to  the  active  directory. 

A  Again,    it  depends  on  the  system.     A  lot  of 

the  PM  systems  aren ' t  integrated  into  active  directory 
until  2007  I  believe  C  pop,   which  is  a  primary  tool 
command  post  of  the  future .     There ' s  a  Wikipedia 
explanation,   a  real  brief  one,   of  what  it  is.  It's 
basically  a  command  and  control  tool . 

Until  recently  that  wasn't  using  active 
directory  logs .     So  it  really  depends  on  the  system 
you ' re  talking  about ,   but  for  the  average  work  station 
for  the  user,   the  average  work  station  would  be  part  of 
the  domain  unless  there  was  a  reason  that  our  security 
controls  would  break  it . 

So  a  good  example  of  that  would  be  the  SI 
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system.     I  don't  recall  the  name  of  it,   but  their 
system  if  we  implemented  specific  security  controls  on 
there,   their  system  would  no  longer  functioning  people 
couldn ' t  get  orders  and  that  type  of  thing .     So  we ' ve 
excluding  those  from  the  security  push  from  the  domain . 

Q  And  share  drive  is  another  example  that  it 

takes  something  that ' s  — 

A  You  can  have  either  or .      It  really  depends 

on  who  set  up  the  share  and  how  that  set  it  up.  So 
what  we  would  say  about  using  active  directory  accounts 
to  control  access  to  that  shared  drive,   but  it  doesn't 
have  to  be . 

Q  Do  you  have  any  knowledge  of  how  the  active 

directory  was  set  up  in  2009  and  2010  in  Iraq? 

A  Other  than  how  we  train  all  the  soldiers 

who  do  it,   no.      I  know  from  the  training  perspective  we 
train  all  of  the  people  who  configure  the  systems,  we 
train  them  all  at  Fort  Gordon  and  that ' s  who  I  was 
teaching  from  2008  through  2011. 

Q  You  don ' t  have  any  direct  knowledge  of  how 

much  time  or  how  many  resources  were  used  to  input 
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users  into  the  GAL  in  2009  and  2010,   the  Iraq  GAL? 
A  So  I  can  — 

Q  I  think  you  talked  about  your  time  at  1st 

cav,   but  you  don't  have  any  knowledge  of  what  was  going 
on  with  respect  to  how  much  time  it  was  taking  to  do 
those  tasks  in  2009  and  2010? 

A  So  it ' s  the  same  task  whether  it ' s  me  or 

somebody  in  2nd  brigade  10th  Mountain  or  somebody  at 
the  NOSK.      If  there  creating  user  accounts  there's 
certain  steps  you  have  to  do.     That  process  is  about  10 
to  15  minutes. 

Q  It  would  take  you  less  time  than  it  would 

take  me? 

A  Sure,   but  after  you  did  it  ten  times  you 

would  do  it  as  fast  as  anyone  else .     Think  of  it  as 
changing  a  tire.      If  I  was  going  to  change  a  tire  on  my 
car,   the  first  time  I  sat  down  to  change  the  tire  it 
would  take  me  a  while.     After  we  changed  25  tires  we'd 
both  be  about  the  same  speed. 

Q  You  mentioned  on  direct  that  there ' s 

automated  tools  that  could  be  used  to  do  that? 
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A  There  are .     You  can  strip  the  creation  of 

user  accounts  and  e-mail  boxes  into  active  directory. 
My   's  personal  experience  is,   most  of  us  admins  are 
basically  too  lazy  to  do  it  and  we  would  rather  click 
to  or  three  hundred  times  to  use  up  the  time  to  do 
that,   because  the  automated  tools  a  lot  of  times  it 
will  take  us  six,   eight,   ten  hours  to  work  through  the 
script  on  how  to  properly  input  all  of  that  data.  So 
rather  than  taking  six  to  eight  hours  to  learn  to  write 
the  script,   we  take  the  15  minutes  per  account  split  it 
out  between  three  or  four  guys  and  they  just  click 
through  it . 

Q  It ' s  possible  that  there  might  be  someone 

who's  good  at  writing  scripts  and  they  can  just  do  in 
it  a  few  minutes  and  take  a  lot  less  time? 

A  Possibly,   but  improbable. 

Q  When  you  say  writing  the  script,   what  sort 

of  program  would  be  used  to  write  this  script? 

A  With  exchange,   exchange  runs  on  Microsoft, 

and  so  power  shell  is  the  primary  tool  that  we  use  now 
and  it ' s  very  —  it ' s  somewhat  complex  language .     It ' s 
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easy  to  begin  with  and  then  it  just  get  more 
complicated  as  you  go  on,   but  primary  you  would  use 
power  shell  as  the  scripting  language  because  it  would 
be  what  was  on  the  server,   on  the  exchange  server. 

Q  So  there's  no,   per  se,   prohibition  against 

using  scripts  and  automating  processes  on  a  system? 

A  There ' s  no  prohibition  against  using  power 

shell  or  script  on  a  system,   but  other  scripting 
languages  such  as  python  or  ruby  or  one  of  those  other 
type  of  scripts  that  are  used  a  lot  wired.     Those  have 
to  be  installed  and,   again,   you  have  to  have  prior 
authorization  from  your  G6  install  those,   and  a  reason 
why  you  need  those. 

Q  Right . 

Now,   you  talked  about  —  you  were  talking 
specifically  about  the  GAL  in  this  case.     You  talked 
about  some  of  the  threats  with  respect  to  having  an 
individual's  name,   and  if  you  have  the  name  then  you 
only  have  say  figure  out  the  password? 

A  Right . 

Q  That ' s  one  of  two  pieces  that  you  need? 
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A  Half  the  puzzle. 

Q  Are  there  protections  to  prevent  a 

nondomain  computer  from  logging  on  to  an  Army  domain? 
A  So  the  user  — 

Q  If  I  — 

A  I  may  not  be  understanding  your  question. 

The  user  account  identified  in  the  GAL  doesn ' t  have 
anything  to  do  with  a  computer.      If  I  wanted  to  exploit 
that,    for  instance,   there  may  be  potential  blocks  —  if 
it's  a  public  facing  server,   then  I  can  use  that 
account  to  log  in.     If  the  server  is  able  to  be 
(INAUDIBLE)    so  a  lot  of  the  standard  deployments  was 
the  SharePoint  server  was  accessible  from  the  garrison 
because  1st  car  as  an  example  we  have  personnel  on  Fort 
Hood  and  at  Iraq  that  were  accessing  the  SharePoint 
server.     So  we  would  create  at  account,   allow  them 
access  from  the  outside. 

Due  to  the  escalation  of  the  threat  in  the 
cyber  domain  we  have  since  prevented  a  lot  of  that  type 
of  activity,   but  three,   two  three  years  ago  those 
firewalls  and  the  access  list  and  stuff  that  would 
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block  that  access  normally  were  not  in  place. 

Q  Well,   what  one  would  have  would  to  get 

access  to  the  network  before  they  could  try  to  figure 
out  the  password,  correct? 

A  Correct,   however,   again,   that  user  account 

that's  identified  in  the  GAL  was  also  your  U.S.  Army 
mil  account .     So  I  could  use  that  to  attempt  to  look  in 
as  you  against  the  dub  dub  dub   .usarmy.mil.     So  until 
we  went  to  using  the  user  information  not  just  to 
access  the  tactical  environment,   but  also  your  dub  dub 
dub. 

Q  You  talked  about  sort  of  that  I  guess  is 

trying  to  hack  into  e-mails .     The  Army  e-mail  format  is 
pretty  well  known,    isn't  it? 

A  I  don't  know.      It's  fully  known  to  us  in 

the  military.     I  mean,    I  see  it  all  the  time,   but  I 
guess  the  best  example  is  with  common  names . 

So  somebody  could  probably  guess  mine 
because  I'm  a  somewhat  unique  name,   but  for  Jeffrey 
Smith  or  Susan  Johnson  there  might  be  a  large  number  of 
those .      So  what  is  their  sequence .     The  bigger  threat 
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is  that  those  accounts  with  that  GAL  identified  what 
specific  server  they  were  on.     So  not  just  the  U.S. 
Army  mil  account,   but  if  they  could  access  any  of  the 
Iraq  servers  because  they  were  part  of  the  NIPRnet 
domain  on  the  unclassified  network,    if  you  could  reach 
that  server  you  could  attempt  to  exploit  using  those 
against  that  actual  server. 

Q  Were  there  protections  in  place  to  prevent 

someone  from  accessing  those  servers  in  Iraq? 

A  So,    again,    in  2007  and  2008,   no.     Now  most 

likely  they  are,  yes. 

Q  What  that  the  deal  in  2009  and  3020. 

A  No. 

Q  You  would  agree  with  me  that  it ' s  pretty 

easy  to  find  the  Army  e-mail  address  format?     You  would 
agree  with  that? 

A  Sure . 

Q  And  as  far  as  names,   one  could  really  just 

put  John . smith  and  then  John . smithl ,    John . smith . 2  and 
all  the  way  up? 

A  Right .     So  the  real  danger  of  the  amount  of 
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information,   we  call  this  classification  by,    I  forget 
the  other  term.     When  I  take  a  bunch  of  similar 
information  we  do  the  same  thing  with  our  network 
configurations . 

When  I  take  a  bunch  of  dispirit  network 
classifications  which  are  unclassified  and  I  combine 
them  into  all  one  location,   then  that  document  actually 
becomes  a  classified  document  because  of  the  amount  of 
danger  and  the  potential  amount  of  exploitation  that 
could  happen  from  that . 

Q  The  GAL  wasn't  classified,   was  it? 

A  No,   but  the  threat  is  more  than  that  single 

e-mail  address  because  although  I  might  know  your 
e-mail  and  my  e-mail  here  I  now  have  a  list  of  150,000 
e-mails.     So  I  may  not  able  to  get  two,    five,  ten 
people  to  click,   but  if  I  send  out  150,000  e-mails  I 
have  a  much  higher  chance . 

Q  You  talked  about  there  being  a  threat  that 

someone  might  try  and  send  an  e-mail  from  a  commander? 

A  Yes. 

Q  Commander  names  are  on  the  web? 
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A  They  are. 

Q  That's  common  knowledge? 

A  Yes. 

Q  You  also  mentioned  that  someone  might  take 

the  unit ' s  motto  and  try  to  a  variation  of  that  as  a 
password? 

A  Yes. 

Q  Those  unit  mottos  are  also  on  the  web? 

A  Sure.     However,   again,   when  I  was  talking 

about  WGet  scraping  the  page  I  used  that  as  an  example, 
but  there ' s  a  lot  more  information  that  they  my  talk 
about .     Commander  likes  to  snowboard  or  the  commander 
was  stationed  here  or  there.     So  a  lot  of  those 
words  —  and  this  is  the  technique  that  we  use  even 
today . 

Scraping  that  entire  page  gives  me  that 
file  with  all  words  that  —  rather  than  running  a 
standard  dictionary  attack  which  is,   you  know,  just 
normal  words  in  the  dictionary,    I  can  have  a  much  more 
targeted  list  against  that  individual  user  who  is  tied 
to  that  whatever  it  is . 
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MR.   TOOMAN:     One  moment,   please,  Your 

Honor . 

THE  COURT:  Yes. 
BY  MR.  TOOMAN: 

Q  Now,   in  the  response  you  just  gave  you're 

assuming  that  WGet  was  used  to  pull  the  e-mail 
addresses  in  this  instance  in  this  case? 

A  No.      So  WGet  scrapes  websites.      I'm  unsure 

as  to  the  tool  that  extracted  the  GAL .      I  don ' t  think 
it  was  WGet .     There  are  other  tools  that  would  extract 
that  type  of  data  if  you  have  a  connection.  It's 
called  an  L  data  query.     So  light  weight  directory. 

Q  You  talked  about  WGet  going  and  getting  a 

web  page .     It ' s  going  to  get  something  that ' s  in  the 
open  source,  right? 

A  It  will  get  whatever  you  have  access  to. 

Q  So  the  1st  cav  website  says  the  commander 

likes  fishing,   that's  something  that's  on  the  1st  cav 
website? 

A  Correct . 

Q  But  WGet  is  not  grabbing  something  that ' s 
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not  there? 

A  Correct,   but  if  I'm  in  a  tactical 

environment  and  let's  put  nefarious  hats  on,  for 
instance.      If  I  use  WGet  to  scrape  the  SharePoint  I'm 
going  to  download  the  entire  SharePoint  size  with  all 
of  the  files  that  make  that  up  SharePoint  site  that  I 
have  access  to. 

Q  Now,   you're  familiar  with  archive.org, 

what's  known  as  the  way  back  machine? 

A  Yes. 

Q  And  WGet  is  the  type  of  program  that  is 

used  to  populate  that  website .     It  goes  out  and  it 
grabs  whole  web  pages? 
A  Okay . 

THE  COURT:     Do  you  know  that  or  not? 

THE  WITNESS:      I  do  not  know  that  for  a 
fact .     I  would  accept  that  answer . 

THE  COURT:     Do  you  know  it  or  not? 

THE  WITNESS:      I  do  not,   no,  ma'am. 

THE  COURT:     Move  on,  please. 

BY  MR.  TOOMAN: 
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Q  Now,    Chief,    if  a  soldier  wanted  to  download 

all  of  the  e-mails  from  his  brigade,   he  could  do  that? 
A  What  do  you  mean  by  all? 

Q  If  he  wanted  to  get  all  of  the  e-mails  — 

A  All  of  the  e-mail  addresses? 

Q  All  of  the  e-mail  address  from  his  brigade, 

you  could  do  that? 

A  He  could,   yes,  sir. 

Q  There ' s  never  been  any  sort  of  directive  or 

direction  that  went  out  and  said  you  can ' t  download 
e-mail  addresses  off  the  GAL? 

A  There  has  not . 

MR.   TOOMAN:     No  further  questions.  Thank 

you . 

THE  COURT:  Redirect? 

REDIRECT  EXAMINATION 
BY  MAJOR  FEIN: 
Q  Chief,   you  testified  a  few  moments  ago 

about  common  Army  e-mail  formats? 
A  Yes. 

Q  Are  the  user  name  the  portion  that  comes 
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before  the  at  symbol,    is  that  information  in  bulk 
available  to  the  public? 

A  It  is  not,   no,  sir. 

Q  And  then  also  as  far  as  your  best  knowledge 

about  the  authority  soldiers  of  downloading  the  global 
address  list  book,   is  it  your  experience  or  your 
knowledge  of  regulations  that  allows  someone  to  do  that 
and  then  transmit  it  to  their  personal  computer  and  use 
it  for  personal  gain? 

A  No,    sir.      So  part  of  the  configuration  for 

the  Outlook  client  that  the  Army  uses  is  we  call  it 
off— line.     The  off— line  address  book  and  the  off— line 
files . 

If  you  become  disconnected  from  the  network 
there ' s  a  cache  copy  on  your  machine  that  allows  you  to 
continue  working .      I  haven ' t  had  anybody  download  the 
GAL  to  their  personal  machine  or  to  a  government 
machine,   and  moving  it  to  a  personal  machine  would  be 
against  the  rules.     We  don't  allow  moving  government 
type  files,   and  that  would  fall  under  a  government  file 
to  your  personal  machine . 
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MAJOR  FEIN:     Thank  you.     No  further 
questions,   Your  Honor. 

RECROSS  EXAMINATION 
BY  MR.  TOOMAN: 
Q  Chief,    if  I  logged  ON  my  personal  computer 

and  wanted  to  download  a  list  of  e-mails  of  all  of  the 
other  judge  advocates  of  the  Army,   would  that  be 
against  the  rules? 

A  No,  sir. 

MR.   TOOMAN:     Thank  you. 

THE  COURT:     Anybody  on  redirect? 

MAJOR  FEIN:     Your  Honor,   may  I  have  a 


moment  ? 


question . 
A 
Q 


THE  COURT:  Yes. 

REDIRECT  EXAMINATION 
BY  MAJOR  FEIN: 

Chief,  in  reference  to  the  very  last 
Yes . 

Again,   based  off  of  your  personal 


knowledge,   is  a  soldier  authorized  to  use  their  NIPR 
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machine  to  download  the  entire  GAL  and  move  it  to  their 
personal  computer  for  the  purposes  of  giving  it  to  a 
corporation,   a  company? 
A  No,  sir. 

Q  (INAUDIBLE)   of  the  U.S.  government. 

A  It  goes  to  intent .     What  do  you  intend  to 

do.      If  you  are  downloading  the  GAL  to  use  on  your 
personal  machine  because  you ' re  machine  is  going  in  for 
repair,   it  may  be  okay  to  have  selected  individual 
addresses.     There's  not  a  reason  to  have  the  entire  GAL 
on  your  personal  machine  that  I'm  aware  of. 

Q  Why? 

A  The  potential  for  abuse .      I  don ' t  know  that 

your  machine  is  baselined  or  is  kept  in  the  appropriate 
patches.     If  your  machine  is  compromised  and  you've 
moved  the  entire  GAL  from  any  theater  down  to  brigade 
to  your  personal  machine  and  your  personal  machine  is 
compromised  because  your  kid  plays  wacomo  on  a  site, 
now  the  enemy  has  that  address  list  and  can  exploit  — 
again  back  into  the  whole  spear  fishing  and  targeting 
of  it . 
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That ' s  why  we  don ' t  allow  people  to  do 
that.     That's  also  why  on  the  AKO  site  all  Army  users 
are  allowed  to  install  Norton  antivirus  and  all  of  that 
on  your  machine .     We  want  personnel  machines  to  be 
protected  at  home.     They'll  issue  you  a  CAD  card  so  you 
can  check  your  mail,   but  it  goes  to  intent,   and  that's 
one  of  the  big  things  in  the  cyber  domains  is  if  you 
have  physical  access,   it's  really  hard  to  stop  a 
maliciously  intended  person  because  they  can  do  things 
regardless  of  technical  prevention . 

Q  And  in  2008  when  you  last  left  Iraq,   was  a 

user  —  did  the  user  have  the  capability  of  their 
personal  computer  to  log  on  to  the  USFI  domain  and 
download  e-mails  — 

A  Negative . 

Q  —  for  their  own  personal  use? 

A  Anything  connected  to  your  machine  into  the 

government  network  that  was  treated  as  a  spillage 
basically  for  us  at  1st  cav.     It  was  the  same  as  if  you 
took  your  NIPRnet  and  plugged  it  into  the  SIPRnet .  You 
would  get  a  visit  from  the  G6  why  are  you  plugging  your 
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personal  box  in  here,    report  everything  — 

Q  What  about  at  that  time  through  a  web  mail 

interface  that  connects  to  the  exchange  in  Iraq,  did 

that  exist? 

A  It  did  not  exist,   to  my  knowledge. 

MAJOR  FEIN:     Thank  you. 

THE  COURT:      Let  me   just    (INAUDIBLE)  did 
not  exist  in  2008  or  did  not  exist  in  2009  or  2010? 

THE  WITNESS:      I  cannot  speak  definitively 
that  it  did  not  exist  in  2009  and  2010.     That  was  not 
part  of  our  normal  configuration  to  allow  web  mail 
access  because  of  the  attack  vector,   and  if  you  did 
access  your  mail  through  the  web  mail  than  the  address 
book  is  build  into  the  web  mail  and  you  wouldn't  need 
it  in  your  personal  box  because  it  is  part  of  the  web 
mail  client . 

THE  COURT:      I  asked  a  follow-up  question. 
Do  you  have  any  follow— up  questions  based  on  what  I 
have . 

BY  MAJOR  FEIN: 
Q  As  recent  as  today  and  after  2010  there  is 
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a  web  mail  interface  for  the  Iraq  domain? 

A  Not  to  my  knowledge . 

MAJOR  FEIN:     Thank  you. 

RECROSS  EXAMINATION 
BY  MR.  TOOMAN: 

Q  Chief,   what  rule  says  a  user  can't  download 

e-mail  addresses? 

A  Again,   there's  not  a  rule  to  prevent  you 

from  downloading  the  e-mail  addresses,   but  you  would 
have  to  address  the  intent.     Again,   we  don't  write  the 
rules  for  everything .     There ' s  not  a  rule  saying  you 
download  every  document  on  the  SharePoint  server,  but 
if  you  did  that  you  would  get  a  visit  —  normally  you 
would  get  a  visit  due  to  the  amount  of  data  that  you ' re 
collecting.     The  question  would  be  why  do  you  need  that 
amount  of  data. 

So  the  same  principal  applies  to  the  global 
address  list,   why  are  you  —  the  command  if  that  was 
scrutinized  and  they  would  say,   why  are  you  downloading 
175,000  e-mail  addresses  for  your  personal  thing  where 
anytime  would  you  use  those  addresses  you  would  be 
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connected  to  the  military  system  that  would  have  the 
address  book  there  for  you  and  you  wouldn't  need  it  on 
your  personal  machine . 

Q  Chief,   if  your  intend  was  I  just  wanted  to 

see  if  I  could  do  it,   that  would  be  okay,   wouldn't  it? 

A  It  wouldn't  necessarily  be  okay,   no,  sir. 

We  don ' t  allow  people  to  just  is  do  things  because  they 
want .     Again  do  I  download  the  entire  SharePoint 
server,   and  I  use  that  because  it's  another  big  part  of 
our  Enterprise  services .      So  if  I  allow  —  if  I  go  back 
to  the  secured  facility  to  download  the  entire 
SharePoint  that ' s  on  the  SIPRnet  I  will  get  a  visit 
from  my  S2  guys  and  say,   why  are  you  downloading  all  of 
this  data,   what  are  you  planning  on  doing  with  it 
because  the  logical  assumption  is  you're  going  to  do 
something  with  all  of  that  data .     So  same  principal 
applies  to  the  GAL. 

Now,   there ' s  not  a  specific  monitoring 
tool  —  there ' s  not  a  technical  implementation  to  watch 
who ' s  downloading  the  entire  global  address  list 
because  it ' s  a  feature  that  most  people  don ' t  download 
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and  it ' s  not  a  serious  system  inconvenience  when  you 
download  the  whole  GAL,   because  it's  only  a  few  megs, 
but  if  you  were  to  download  the  entire  SharePoint . 

Q  There ' s  not  a  big  suck  on  resources  to 

download  the  GAL? 

A  There ' s  not  a  huge  impact  on  resources  to 

do  the  physical  downloading  of  the  GAL . 

Q  There's  no  rule  that  says  if  you're  intent 

is  just  I  wanted  to  see  if  I  could  do  it,   there's  not  a 
rule  that  says  you  can't? 

A  There ' s  not  a  rule  written  that  says  you 

cannot . 

Q  Then  if  you  deleted  it  after  you  figured 

out  how  to  do  it  that  it  would  suggest  that  the  intent 
was  — 

MAJOR  FEIN:     Objection,   Your  Honor.  Your 
Honor,   as  speculative. 

THE  COURT :     Let ' s  hear  the  question . 

BY  MR.  TOOMAN: 
Q  If  the  file  was  deleted  after  it  was 

download  and  it  was  done,   what  would  that  say  to  you 
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about  the  intent? 

THE  COURT :     Don ' t  answer  that . 

MR.   TOOMAN:     Nothing  further. 

THE  COURT:  Redirect? 

MAJOR  FEIN:     No,   Your  Honor. 

MR.   COOMBS:     Just  on  that  last  question. 
I  understand  that  was  going  towards  the  cyber  threat 
expert .     So  he  talked  about  intent .     He  talked  about 
whether  it  would  be  wrong  or  right  depending  upon 
the  intent .     So  as  a  cyber  expert  threat  expert  if 
what  he  saw  the  person  downloading  it  and  deleting 
it. 

THE  COURT:     That  would  give  him  absolutely 
no  idea  what  the  person ' s  intent  was . 

MR.   COOMBS:     From  a  cyber  threat  standpoint 
he's  testifying  that  something  might  be  wrong,   he  did  a 
certain  act  and  he ' s  saying  well  downloading  the  log 
GAL  is  not  a  problem,   but  if  you  have  all  of  this 
information  we  would  want  to  know  why  you  have  that, 
and  then  that  might  cause  G6  or  someone  to  come  to  you 
and  ask  you  a  question  like  why  are  you  doing  this . 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/17/13  Afternoon  Session 


159 

So  in  this  instance  at  issue  here  is 
(INAUDIBLE)    so  the  facts  that  information  was 
deleted  immediately  what  would  that  tell  him  as  a 
cyber  expert .     That ' s  what  where  that  question  was 
going  towards . 

THE  COURT:     So  overruled.      I  do  have  a 
question  for  you.      I'm  still  confused.      I  thought  you 
answered  to  the  government  a  little  bit  earlier  that  if 
a  soldier  wanted  to  download  the  e-mails  all  of  his 
e-mail  addresses  from  the  brigade  or  defense  the 
soldier  could  do  it,   there's  no  directive  saying  he 
can ' t . 

THE  WITNESS:  Correct,  ma'am,  there  is  not 
a  rule.  There  is  not  a  specific  rule  that  says  you're 
not  allowed  to  download  the  entire  address. 

THE  COURT :     You ' re  talking  about 
downloading  on  NIPRnet  or  a  personal  machine  or  is 
there  any  difference? 

THE  WITNESS:  When  you  transfer  military 
data  to  personal  machines  there  are  regulations,  and 
I'm  sorry  I  can't  quote  them  for  you,   but  there  are 
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regulations  that  do  not  allow  us  to  move  military  data 
to  personal  mechanicals.     I  can't  just  take  —  download 
the  SharePoint  site  is  a  good  example  because  but  it 
has  a  bunch  of  unclassified  data.     So  it  seat  might 
have  alert  rosters  and  powerpoint  slides  and  briefings 
and  such.      It  might  have  a  briefing  from  the  NSA.  I 
downloaded  all  of  this  data  to  a  government  machine . 
When  I  move  it  off  of  that  that  government  machine  to 
my  personal  machine  the  question  comes  up,   why  are  you 
doing  that . 

So  there  are  rules  that  prevent  us  from 
moving  data  from  a  government  machine .     That ' s  why 
can  you  can ' t  use  thumb  drives  any  more .     You  can ' t 
burn  CDs  on  classified  machines . 

THE  COURT:     Do  you  know  what  happens 

(INAUDIBLE) . 

THE  WITNESS:      I  do  not.     AR25-2  somewhere 
the    (INAUDIBLE)   Act,   but  there  are  also  local  policies 
that  would  be  implemented  that  would  prevent  that .  I 
can  research  that  if  need  — 

THE  COURT:     Any  follow-up  based  on  mine? 
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MAJOR  FEIN:     No,  ma'am. 

MR.   TOOMAN:     No,  ma'am. 

THE  COURT:     All  right. 

MR.   TOOMAN:     No  objection. 

THE  COURT:     Please  do  not  discuss  your 
testimony  or  your  knowledge  of  the  case  with  anybody 
other  than  counsel  while  the  trial  is  still  on. 

THE  WITNESS:     Yes,  ma'am. 

THE  COURT:     Just  for  the  record,    as  part  of 
the  my  overruling  of  the  defense  objection  I'm  not 
going  to  consider  any  of  this  witnesses  testified  he 
said  there ' s  is  rules  and  regarding  the  transfer  of 
data  from  the  NIPRnet  computer  to  a  personal  computer 
noted  where  they  are  and  he  doesn ' t  know  what  they  are 
that's  my  understanding  of  his  testimony. 

MAJOR  FEIN:     Yes,  ma'am. 

MR.   TOOMAN:     Sounds  right,   Your  Honor. 

THE  COURT:     Anything  else  we  need  to 
address  today. 

MAJOR  FEIN:     No,  ma'am. 

MR.   COOMBS:     No,   Your  Honor. 
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THE  COURT:  Do  we  still  need  to  talk  about 
tomorrow.  Do  you  want  to  take  a  brief  recess  and  come 
back  on  the  record  and  decide  in  ten  minutes . 

THE  COURT:     The  Court  is  in  recess  at  ten 
minutes  of  6:00,    depending  on  how  long  this  recess  takes. 
(Hearing  recessed  at  5:50  p.m.) 
(Hearing  resumed  at  6:00  p.m.) 

THE  COURT:     Counsel  and  I  met  in  an  202 
conference  to  talk  about  the  way  ahead.     First  of  all, 
we  will  be  coming  back  on  the  record  at  0930  for  oral 
argument  on  the  admissibility  of  certain  prosecution 
exhibits  that  the  defense  has  had  hearsay 
authentication  and  relevance  objections  to  and  there 
was  some  confusion  as  to  exactly  what  exhibits  we  were 
talking.      I  know  we're  talking  about  Prosecution  109. 
What  are  the  other  ones . 

MAJOR  FEIN:      31  and  32. 

THE  COURT:      33  and  34  are  not  being 
offered  by  the  government . 

MAJOR  FEIN:     No,  ma'am. 

THE  COURT:     Defense  you  already  remained 
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the  citing  for  these  two  exhibits  to  be  taken  out . 
MR.   TOOMAN:     Yes,  ma'am. 

THE  COURT:     Okay.     That  would  be  at  he  0930 
tomorrow.     We  also  discussed  the  way  ahead  after  that. 
Right  now  the  parties  are  negotiating  additional 
stipulations  of  expected  testimony.     They're  in  draft 
form.     They've  got  to  go  back,   both  sides  have  to  agree 
to  stipulations  of  expected  testimony  as  does  PFC 
Manning  in  order  for  them  to  be  introduced  as  evidence 
in  lieu  of  witness  testimony.     That  takes  time. 

And  the  parties  have  advised  —  Major 
Fein,   why  don't  you  explain  for  the  record  what  the 
parties  would  like  to  do. 

MAJOR  FEIN:       Your  Honor,   the  defense  and 
prosecution  have  agree  to  enter  into  the  17  more 
stipulations  of  expected  testimony,   and  based  off  of 
the  volume  of  the  individual  stipulations  it  will  take 
both  parties  additional  time  in  order  to  discuss  the 
stipulations  and  come  to  an  agreement  and  also  provide 
certain  ones  to  certain  government  organizations  to 
have  classification  to  be  completed. 
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So  the  United  States  and  defense  came 
together  and  proposed  that  after  tomorrow ' s  oral 
argument  the  Court  recesses  until  next  Tuesday  which 
would  provide  both  parts  at  which  time  by  the  end  of 
this  week  to  have  the  stipulations  completed  and 
then  to  send  those  to  the  different  government 
organizations  and  for  them  to  come  back  based  off  of 
a  court  order  by  Wednesday  of  next  week . 

If  we  reconvene,   Your  Honor,   Tuesday  of 
next  week  in  a  status  hearing  on  the  stipulations  or 
any  other  issues  that  might  arise  and  the  goal  then 
being  on  Wednesday  the  government  resumes  its  case 
in  chief  by  calling  the  next  set  of  witnesses  and 
reading  the  stipulations  on  the  record. 

THE  COURT:      Is  that  the  defense's 
understanding  as  well? 

MR.   COOMBS:     Yes,   Your  Honor. 

THE  COURT:     All  right.     And  the  Court  did 
discuss  with  the  parties  this  additional  review  by  the 
other  agency .     That ' s  between  the  government .     You  can 
certain  have  whoever  you  want  to  review  it,   but  it's 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/17/13  Afternoon  Session 


165 

not  going  delay  the  Court .     I  move  to  have  the  court 
order  coming  out  saying  it ' s  going  to  be  three  business 
days  and  that ' s  it . 

MAJOR  FEIN:     Yes,  ma'am. 

THE  COURT :     So  I ' 11  draft  that  order  today 
and  we ' 11  put  that  in  as  an  Exhibit  tomorrow . 

Is  there  anything  else  we  need  to 
address  at  this  point? 

MR.   COOMBS:     No,   Your  Honor. 

MAJOR  FEIN:     No,   Your  Honor. 

THE  COURT :     The  only  thing  I ' m  thinking  of 
based  on  the  testimony  of  the  last  witness  I  had  asked 
the  parties  to  prepare  briefs  on  value  and  money,  and 
the  government  has  withdrawn  that  part  of  his 
testimony.     Does  either  party  see  the  need  for  briefs 
at  this  time? 

MAJOR  FEIN:     No,  ma'am. 

MR .   COOMBS :     No ,   ma ' am . 

MAJOR  FEIN:     There  is  one  other 
administrative  issue.     Over  the  weekend  there  was  an 
e-mail  between  the  parties  and  the  Court  about  not 
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calling  sentencing  witnesses  prior  to  8  July.  I'll 
just  put  on  the  record  that  the  United  States  based  off 
of  the  defense  not  objecting  and  the  Court  approving 
that  United  States  did  notify  all  sentencing  witnesses 
or  is  in  the  process  of  notifying  prosecution  and 
defense  witnesses  that  would  not  be  called  any  earlier 
than  8  July . 

THE  COURT :     That ' s  fine .     That  was  a  series 
of  that  e-mails  that  went  back  and  forth.     The  defense 
had  no  objection.     And,   again,   looking  at  the  schedule 
now  and  motions,    certain  motions  that  may  arise  and  the 
length  of  potential  defense  case  we  may  not  even  be  at 
that  point  by  July  8th.     We  will  have  to  see  how  we 
address  that  as  we  go  long. 

MAJOR  FEIN:     Yes,  ma'am. 

MR.   COOMBS:     Yes,   Your  Honor. 

THE  COURT:     Anything  else? 

MAJOR  FEIN:     No,  ma'am. 

MR.   COOMBS:     No,  ma'am. 

THE  COURT:     The  Court  is  in  recess. 
(Hearing  adjourned  at  6:25  p.m.) 
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